Search criteria
12 vulnerabilities found for engelsystem by engelsystem
FKIE_CVE-2023-50924
Vulnerability from fkie_nvd - Published: 2023-12-22 21:15 - Updated: 2024-11-21 08:37
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context. This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| engelsystem | engelsystem | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:engelsystem:engelsystem:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FFE9236-E9EA-4C61-908B-D8F668F22099",
"versionEndExcluding": "3.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user\u0027s context. This vulnerability enables an authenticated user to inject Javascript into other user\u0027s sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1."
},
{
"lang": "es",
"value": "Englesystem es un sistema de planificaci\u00f3n de turnos para eventos de caos. Engelsystem anterior a v3.4.1 realizaba una validaci\u00f3n insuficiente de los datos proporcionados por el usuario para los campos de DECT number, mobile number y work-log comment fields. Los valores de esos campos se mostrar\u00edan en las descripciones generales de registros correspondientes, lo que permitir\u00eda la inyecci\u00f3n y ejecuci\u00f3n de c\u00f3digo Javascript en el contexto de otro usuario. Esta vulnerabilidad permite a un usuario autenticado inyectar Javascript en las sesiones de otros usuarios. El JS inyectado se ejecutar\u00e1 durante el uso normal del sistema al visualizar, por ejemplo, p\u00e1ginas de descripci\u00f3n general. Este problema se solucion\u00f3 en la versi\u00f3n 3.4.1."
}
],
"id": "CVE-2023-50924",
"lastModified": "2024-11-21T08:37:32.523",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-22T21:15:08.370",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-45152
Vulnerability from fkie_nvd - Published: 2023-10-17 00:15 - Updated: 2024-11-21 08:26
Severity ?
2.0 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
Engelsystem is a shift planning system for chaos events. A Blind SSRF in the "Import schedule" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| engelsystem | engelsystem | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:engelsystem:engelsystem:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0F10C38-ED39-422A-8507-FA4099FAEE32",
"versionEndExcluding": "2023-09-18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Engelsystem is a shift planning system for chaos events. A Blind SSRF in the \"Import schedule\" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication."
},
{
"lang": "es",
"value": "Engelsystem es un sistema de planificaci\u00f3n de turnos para eventos de caos. Un Blind SSRF en la funcionalidad \"Import schedule\" permite realizar una exploraci\u00f3n de puertos en el entorno local. Esta vulnerabilidad se ha solucionado en el commit ee7d30b33. Si no se puede implementar un parche, los operadores deben asegurarse de que ning\u00fan servicio HTTP escuche en el host local y/o en sistemas a los que solo se pueda acceder desde el host que ejecuta el software engelsystem. Si dichos servicios son necesarios, deber\u00edan utilizar autenticaci\u00f3n adicional."
}
],
"id": "CVE-2023-45152",
"lastModified": "2024-11-21T08:26:27.290",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T00:15:11.140",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-45659
Vulnerability from fkie_nvd - Published: 2023-10-17 00:15 - Updated: 2024-11-21 08:27
Severity ?
3.6 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
2.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
2.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Summary
Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| engelsystem | engelsystem | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:engelsystem:engelsystem:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0F10C38-ED39-422A-8507-FA4099FAEE32",
"versionEndExcluding": "2023-09-18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Engelsystem is a shift planning system for chaos events. If a users\u0027 password is compromised and an attacker gained access to a users\u0027 account, i.e., logged in and obtained a session, an attackers\u0027 session is not terminated if the users\u0027 account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Engelsystem es un sistema de planificaci\u00f3n de turnos para eventos de chaos. Si la contrase\u00f1a de un usuario se ve comprometida y un atacante obtuvo acceso a la cuenta de un usuario, es decir, inici\u00f3 sesi\u00f3n y obtuvo una sesi\u00f3n, la sesi\u00f3n del atacante no finaliza si se restablece la contrase\u00f1a de la cuenta de los usuarios. Esta vulnerabilidad se ha solucionado en el commit `dbb089315ff3d`. Se recomienda a los usuarios que actualicen sus instalaciones. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2023-45659",
"lastModified": "2024-11-21T08:27:09.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T00:15:11.233",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2018-19182
Vulnerability from fkie_nvd - Published: 2018-12-26 21:29 - Updated: 2024-11-21 03:57
Severity ?
Summary
Engelsystem before commit hash 2e28336 allows CSRF.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/engelsystem/engelsystem/issues/494 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/engelsystem/engelsystem/issues/494 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| engelsystem | engelsystem | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:engelsystem:engelsystem:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8C61A9A-5766-43A3-9026-2700B905A6C1",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Engelsystem before commit hash 2e28336 allows CSRF."
},
{
"lang": "es",
"value": "Engelsystem, antes del commit con hash 2e28336, permite Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2018-19182",
"lastModified": "2024-11-21T03:57:29.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-26T21:29:01.997",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/issues/494"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/engelsystem/engelsystem/issues/494"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-50924 (GCVE-0-2023-50924)
Vulnerability from cvelistv5 – Published: 2023-12-22 20:37 – Updated: 2024-11-27 15:33
VLAI?
Title
Stored XSS in Overview and Output fields
Summary
Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context. This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| engelsystem | engelsystem |
Affected:
< 3.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:43.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T15:33:23.943034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T15:33:49.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engelsystem",
"vendor": "engelsystem",
"versions": [
{
"status": "affected",
"version": "\u003c 3.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user\u0027s context. This vulnerability enables an authenticated user to inject Javascript into other user\u0027s sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T20:37:47.224Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f"
}
],
"source": {
"advisory": "GHSA-p5ch-rrpm-wvhm",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Overview and Output fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50924",
"datePublished": "2023-12-22T20:37:47.224Z",
"dateReserved": "2023-12-15T20:57:23.174Z",
"dateUpdated": "2024-11-27T15:33:49.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45152 (GCVE-0-2023-45152)
Vulnerability from cvelistv5 – Published: 2023-10-16 23:34 – Updated: 2024-09-13 20:11
VLAI?
Title
Blind Server Side Request Forgery (SSRF) in remote schedule import feature in Engelsystem
Summary
Engelsystem is a shift planning system for chaos events. A Blind SSRF in the "Import schedule" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| engelsystem | engelsystem |
Affected:
< ee7d30b33
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45152",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T20:11:12.533591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T20:11:31.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engelsystem",
"vendor": "engelsystem",
"versions": [
{
"status": "affected",
"version": "\u003c ee7d30b33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engelsystem is a shift planning system for chaos events. A Blind SSRF in the \"Import schedule\" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T23:34:28.735Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295"
}
],
"source": {
"advisory": "GHSA-jj9g-75wf-6ppf",
"discovery": "UNKNOWN"
},
"title": "Blind Server Side Request Forgery (SSRF) in remote schedule import feature in Engelsystem"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45152",
"datePublished": "2023-10-16T23:34:28.735Z",
"dateReserved": "2023-10-04T16:02:46.331Z",
"dateUpdated": "2024-09-13T20:11:31.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45659 (GCVE-0-2023-45659)
Vulnerability from cvelistv5 – Published: 2023-10-16 23:32 – Updated: 2024-09-13 20:08
VLAI?
Title
Session is not expiring after password reset in Engelsystem
Summary
Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| engelsystem | engelsystem |
Affected:
< dbb089315ff3d
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:16.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45659",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T20:07:56.735705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T20:08:55.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engelsystem",
"vendor": "engelsystem",
"versions": [
{
"status": "affected",
"version": "\u003c dbb089315ff3d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engelsystem is a shift planning system for chaos events. If a users\u0027 password is compromised and an attacker gained access to a users\u0027 account, i.e., logged in and obtained a session, an attackers\u0027 session is not terminated if the users\u0027 account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T23:32:57.929Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d"
}
],
"source": {
"advisory": "GHSA-f6mm-3v2h-jm6x",
"discovery": "UNKNOWN"
},
"title": "Session is not expiring after password reset in Engelsystem"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45659",
"datePublished": "2023-10-16T23:32:57.929Z",
"dateReserved": "2023-10-10T14:36:40.859Z",
"dateUpdated": "2024-09-13T20:08:55.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19182 (GCVE-0-2018-19182)
Vulnerability from cvelistv5 – Published: 2018-12-26 20:00 – Updated: 2024-08-05 11:30
VLAI?
Summary
Engelsystem before commit hash 2e28336 allows CSRF.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:30:04.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/issues/494"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-12-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Engelsystem before commit hash 2e28336 allows CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-26T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/issues/494"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19182",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Engelsystem before commit hash 2e28336 allows CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a",
"refsource": "CONFIRM",
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"name": "https://github.com/engelsystem/engelsystem/issues/494",
"refsource": "CONFIRM",
"url": "https://github.com/engelsystem/engelsystem/issues/494"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19182",
"datePublished": "2018-12-26T20:00:00",
"dateReserved": "2018-11-11T00:00:00",
"dateUpdated": "2024-08-05T11:30:04.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50924 (GCVE-0-2023-50924)
Vulnerability from nvd – Published: 2023-12-22 20:37 – Updated: 2024-11-27 15:33
VLAI?
Title
Stored XSS in Overview and Output fields
Summary
Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context. This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| engelsystem | engelsystem |
Affected:
< 3.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:43.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T15:33:23.943034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T15:33:49.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engelsystem",
"vendor": "engelsystem",
"versions": [
{
"status": "affected",
"version": "\u003c 3.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user\u0027s context. This vulnerability enables an authenticated user to inject Javascript into other user\u0027s sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T20:37:47.224Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-p5ch-rrpm-wvhm"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/engelsystem/engelsystem/commit/efda1ffc1ce59f02a7d237d9087adea26e73ec5f"
}
],
"source": {
"advisory": "GHSA-p5ch-rrpm-wvhm",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Overview and Output fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50924",
"datePublished": "2023-12-22T20:37:47.224Z",
"dateReserved": "2023-12-15T20:57:23.174Z",
"dateUpdated": "2024-11-27T15:33:49.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45152 (GCVE-0-2023-45152)
Vulnerability from nvd – Published: 2023-10-16 23:34 – Updated: 2024-09-13 20:11
VLAI?
Title
Blind Server Side Request Forgery (SSRF) in remote schedule import feature in Engelsystem
Summary
Engelsystem is a shift planning system for chaos events. A Blind SSRF in the "Import schedule" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| engelsystem | engelsystem |
Affected:
< ee7d30b33
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45152",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T20:11:12.533591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T20:11:31.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engelsystem",
"vendor": "engelsystem",
"versions": [
{
"status": "affected",
"version": "\u003c ee7d30b33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engelsystem is a shift planning system for chaos events. A Blind SSRF in the \"Import schedule\" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T23:34:28.735Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295"
}
],
"source": {
"advisory": "GHSA-jj9g-75wf-6ppf",
"discovery": "UNKNOWN"
},
"title": "Blind Server Side Request Forgery (SSRF) in remote schedule import feature in Engelsystem"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45152",
"datePublished": "2023-10-16T23:34:28.735Z",
"dateReserved": "2023-10-04T16:02:46.331Z",
"dateUpdated": "2024-09-13T20:11:31.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45659 (GCVE-0-2023-45659)
Vulnerability from nvd – Published: 2023-10-16 23:32 – Updated: 2024-09-13 20:08
VLAI?
Title
Session is not expiring after password reset in Engelsystem
Summary
Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| engelsystem | engelsystem |
Affected:
< dbb089315ff3d
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:16.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45659",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T20:07:56.735705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T20:08:55.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "engelsystem",
"vendor": "engelsystem",
"versions": [
{
"status": "affected",
"version": "\u003c dbb089315ff3d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Engelsystem is a shift planning system for chaos events. If a users\u0027 password is compromised and an attacker gained access to a users\u0027 account, i.e., logged in and obtained a session, an attackers\u0027 session is not terminated if the users\u0027 account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T23:32:57.929Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x"
},
{
"name": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d"
}
],
"source": {
"advisory": "GHSA-f6mm-3v2h-jm6x",
"discovery": "UNKNOWN"
},
"title": "Session is not expiring after password reset in Engelsystem"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45659",
"datePublished": "2023-10-16T23:32:57.929Z",
"dateReserved": "2023-10-10T14:36:40.859Z",
"dateUpdated": "2024-09-13T20:08:55.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19182 (GCVE-0-2018-19182)
Vulnerability from nvd – Published: 2018-12-26 20:00 – Updated: 2024-08-05 11:30
VLAI?
Summary
Engelsystem before commit hash 2e28336 allows CSRF.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:30:04.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/engelsystem/engelsystem/issues/494"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-12-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Engelsystem before commit hash 2e28336 allows CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-26T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/engelsystem/engelsystem/issues/494"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19182",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Engelsystem before commit hash 2e28336 allows CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a",
"refsource": "CONFIRM",
"url": "https://github.com/MyIgel/engelsystem/commit/2e28336818183e2c63c8015fb476bc01c822f50a"
},
{
"name": "https://github.com/engelsystem/engelsystem/issues/494",
"refsource": "CONFIRM",
"url": "https://github.com/engelsystem/engelsystem/issues/494"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19182",
"datePublished": "2018-12-26T20:00:00",
"dateReserved": "2018-11-11T00:00:00",
"dateUpdated": "2024-08-05T11:30:04.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}