Search criteria
18 vulnerabilities found for openeclass by openeclass
FKIE_CVE-2024-38530
Vulnerability from fkie_nvd - Published: 2024-08-12 15:15 - Updated: 2024-08-13 17:17
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server's filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openeclass | openeclass | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58260FB3-9ABC-426C-9E00-4A8AA7B43028",
"versionEndExcluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the \"save\" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server\u0027s filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16."
},
{
"lang": "es",
"value": "La plataforma Open eClass (anteriormente conocida como GUnet eClass) es un completo sistema de gesti\u00f3n de cursos. Una vulnerabilidad de carga de archivos arbitrarios en la funcionalidad \"guardar\" del m\u00f3dulo H5P permite a usuarios no autenticados cargar archivos arbitrarios en el sistema de archivos del servidor. Esto puede generar RCE sin restricciones en el servidor backend, ya que se puede acceder a la ubicaci\u00f3n de carga desde Internet. Esta vulnerabilidad se solucion\u00f3 en 3.16."
}
],
"id": "CVE-2024-38530",
"lastModified": "2024-08-13T17:17:47.693",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-12T15:15:20.743",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-33253
Vulnerability from fkie_nvd - Published: 2024-06-13 23:15 - Updated: 2024-11-21 09:16
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
6.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
Summary
Cross-site scripting (XSS) vulnerability in GUnet OpenEclass E-learning Platform version 3.15 and before allows a authenticated privileged attacker to execute arbitrary code via the title and description fields of the badge template editing function.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openeclass | openeclass | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45900311-03AD-4215-809B-0565B400E43A",
"versionEndIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in GUnet OpenEclass E-learning Platform version 3.15 and before allows a authenticated privileged attacker to execute arbitrary code via the title and description fields of the badge template editing function."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) en GUnet OpenEclass E-learning Platform versi\u00f3n 3.15 y anteriores permite a un atacante privilegiado autenticado ejecutar c\u00f3digo arbitrario a trav\u00e9s de los campos de t\u00edtulo y descripci\u00f3n de la funci\u00f3n de edici\u00f3n de plantilla de insignia."
}
],
"id": "CVE-2024-33253",
"lastModified": "2024-11-21T09:16:41.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-06-13T23:15:50.403",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/FreySolarEye/CVE/blob/master/GUnet%20OpenEclass%20E-learning%20platform%203.15%20-%20%27certbadge.php%27%20Stored%20Cross%20Site%20Scripting"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/FreySolarEye/CVE/blob/master/GUnet%20OpenEclass%20E-learning%20platform%203.15%20-%20%27certbadge.php%27%20Stored%20Cross%20Site%20Scripting"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-31777
Vulnerability from fkie_nvd - Published: 2024-06-13 23:15 - Updated: 2025-06-18 16:53
Severity ?
Summary
File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/FreySolarEye/Exploit-CVE-2024-31777 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/FreySolarEye/Exploit-CVE-2024-31777 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openeclass | openeclass | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45900311-03AD-4215-809B-0565B400E43A",
"versionEndIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint."
},
{
"lang": "es",
"value": "Vulnerabilidad de carga de archivos en openeclass v.3.15 y anteriores permite a un atacante ejecutar c\u00f3digo arbitrario a trav\u00e9s de un archivo manipulado en el endpoint certbadge.php."
}
],
"id": "CVE-2024-31777",
"lastModified": "2025-06-18T16:53:35.487",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-06-13T23:15:50.293",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/FreySolarEye/Exploit-CVE-2024-31777"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/FreySolarEye/Exploit-CVE-2024-31777"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-26503
Vulnerability from fkie_nvd - Published: 2024-03-14 22:15 - Updated: 2025-06-10 16:05
Severity ?
Summary
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openeclass | openeclass | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45900311-03AD-4215-809B-0565B400E43A",
"versionEndIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint."
},
{
"lang": "es",
"value": "Vulnerabilidad de carga de archivos sin restricciones en la red de universidades griegas Open eClass v.3.15 y anteriores permite a los atacantes ejecutar c\u00f3digo arbitrario mediante la carga de un archivo manipulado al endpoint certbadge.php."
}
],
"id": "CVE-2024-26503",
"lastModified": "2025-06-10T16:05:55.953",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-14T22:15:22.550",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-33116
Vulnerability from fkie_nvd - Published: 2022-06-27 21:15 - Updated: 2024-11-21 07:07
Severity ?
Summary
An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/gunet/openeclass | Product, Third Party Advisory | |
| cve@mitre.org | https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php | Patch, Vendor Advisory | |
| cve@mitre.org | https://www.openeclass.org/en/ | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gunet/openeclass | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openeclass.org/en/ | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openeclass | openeclass | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*",
"matchCriteriaId": "355F086D-C1E8-4F7C-A89E-3D8F7BB1B077",
"versionEndIncluding": "3.12.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal."
},
{
"lang": "es",
"value": "Un problema en la variable jmpath en el archivo /modules/mindmap/index.php de GUnet Open eClass Platform (tambi\u00e9n se conoce como openeclass) versiones v3.12.4 y anteriores, permite a atacantes leer archivos arbitrarios por medio de un salto de directorio"
}
],
"id": "CVE-2022-33116",
"lastModified": "2024-11-21T07:07:33.857",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-27T21:15:08.627",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/gunet/openeclass"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.openeclass.org/en/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/gunet/openeclass"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.openeclass.org/en/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-7389
Vulnerability from fkie_nvd - Published: 2017-04-01 02:59 - Updated: 2025-04-20 01:37
Severity ?
Summary
Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Release_3.5.4'. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the 'openeclass-master/modules/tc/webconf/webconf.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/97310 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/gunet/openeclass/issues/11 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97310 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gunet/openeclass/issues/11 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openeclass | openeclass | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8695164-A27A-4498-AE87-55BD4F60E191",
"versionEndIncluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) were discovered in \u0027openeclass Release_3.5.4\u0027. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the \u0027openeclass-master/modules/tc/webconf/webconf.php\u0027 URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
},
{
"lang": "es",
"value": "Se han descubierto m\u00faltiples XSS en \u0027openeclass Release_3.5.4\u0027. Las vulnerabilidades existen debido a la filtraci\u00f3n insuficiente de los datos proporcionados por el usuario (meeting_id, user) pasados a la URL \u0027openeclass-master/modules/tc/webconf/webconf.php\u0027. Un atacante podr\u00eda ejecutar HTML y c\u00f3digo de secuencias de comandos arbitrarios en un navegador en el contexto de un sitio web vulnerable."
}
],
"id": "CVE-2017-7389",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-01T02:59:00.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97310"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/gunet/openeclass/issues/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/gunet/openeclass/issues/11"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-38530 (GCVE-0-2024-38530)
Vulnerability from cvelistv5 – Published: 2024-08-12 14:50 – Updated: 2024-08-12 15:30
VLAI?
Title
Open eClass Platform allows Arbitrary File Upload in "modules/h5p/save.php"
Summary
The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server's filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16.
Severity ?
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gunet | openeclass |
Affected:
<= 3.15
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"lessThanOrEqual": "3.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38530",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:29:07.998603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:30:52.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openeclass",
"vendor": "gunet",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the \"save\" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server\u0027s filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T14:50:32.285Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg"
},
{
"name": "https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191"
}
],
"source": {
"advisory": "GHSA-88c3-hp7p-grgg",
"discovery": "UNKNOWN"
},
"title": "Open eClass Platform allows Arbitrary File Upload in \"modules/h5p/save.php\""
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38530",
"datePublished": "2024-08-12T14:50:32.285Z",
"dateReserved": "2024-06-18T16:37:02.729Z",
"dateUpdated": "2024-08-12T15:30:52.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31777 (GCVE-0-2024-31777)
Vulnerability from cvelistv5 – Published: 2024-06-13 00:00 – Updated: 2024-09-06 16:39
VLAI?
Summary
File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FreySolarEye/Exploit-CVE-2024-31777"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"lessThanOrEqual": "3.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31777",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:37:06.238303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T16:39:13.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T22:26:20.009845",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FreySolarEye/Exploit-CVE-2024-31777"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-31777",
"datePublished": "2024-06-13T00:00:00",
"dateReserved": "2024-04-05T00:00:00",
"dateUpdated": "2024-09-06T16:39:13.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33253 (GCVE-0-2024-33253)
Vulnerability from cvelistv5 – Published: 2024-06-13 00:00 – Updated: 2024-08-02 02:27
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in GUnet OpenEclass E-learning Platform version 3.15 and before allows a authenticated privileged attacker to execute arbitrary code via the title and description fields of the badge template editing function.
Severity ?
6 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"lessThanOrEqual": "3.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T16:05:39.482969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T16:09:09.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:53.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FreySolarEye/CVE/blob/master/GUnet%20OpenEclass%20E-learning%20platform%203.15%20-%20%27certbadge.php%27%20Stored%20Cross%20Site%20Scripting"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in GUnet OpenEclass E-learning Platform version 3.15 and before allows a authenticated privileged attacker to execute arbitrary code via the title and description fields of the badge template editing function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T22:27:23.672500",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FreySolarEye/CVE/blob/master/GUnet%20OpenEclass%20E-learning%20platform%203.15%20-%20%27certbadge.php%27%20Stored%20Cross%20Site%20Scripting"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33253",
"datePublished": "2024-06-13T00:00:00",
"dateReserved": "2024-04-23T00:00:00",
"dateUpdated": "2024-08-02T02:27:53.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26503 (GCVE-0-2024-26503)
Vulnerability from cvelistv5 – Published: 2024-03-14 00:00 – Updated: 2024-08-28 15:03
VLAI?
Summary
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.
Severity ?
9.1 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:3.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"status": "affected",
"version": "3.15"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26503",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T18:35:29.268660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T15:03:36.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-14T21:18:24.504633",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-26503",
"datePublished": "2024-03-14T00:00:00",
"dateReserved": "2024-02-19T00:00:00",
"dateUpdated": "2024-08-28T15:03:36.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33116 (GCVE-0-2022-33116)
Vulnerability from cvelistv5 – Published: 2022-06-27 20:42 – Updated: 2024-08-03 08:01
VLAI?
Summary
An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:19.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openeclass.org/en/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gunet/openeclass"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T20:42:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openeclass.org/en/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gunet/openeclass"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-33116",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openeclass.org/en/",
"refsource": "MISC",
"url": "https://www.openeclass.org/en/"
},
{
"name": "https://github.com/gunet/openeclass",
"refsource": "MISC",
"url": "https://github.com/gunet/openeclass"
},
{
"name": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php",
"refsource": "MISC",
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"name": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/",
"refsource": "MISC",
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-33116",
"datePublished": "2022-06-27T20:42:01",
"dateReserved": "2022-06-13T00:00:00",
"dateUpdated": "2024-08-03T08:01:19.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7389 (GCVE-0-2017-7389)
Vulnerability from cvelistv5 – Published: 2017-04-01 01:07 – Updated: 2024-08-05 15:56
VLAI?
Summary
Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Release_3.5.4'. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the 'openeclass-master/modules/tc/webconf/webconf.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.467Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97310",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97310"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gunet/openeclass/issues/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) were discovered in \u0027openeclass Release_3.5.4\u0027. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the \u0027openeclass-master/modules/tc/webconf/webconf.php\u0027 URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-04T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "97310",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97310"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gunet/openeclass/issues/11"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7389",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Cross-Site Scripting (XSS) were discovered in \u0027openeclass Release_3.5.4\u0027. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the \u0027openeclass-master/modules/tc/webconf/webconf.php\u0027 URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "97310",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97310"
},
{
"name": "https://github.com/gunet/openeclass/issues/11",
"refsource": "CONFIRM",
"url": "https://github.com/gunet/openeclass/issues/11"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7389",
"datePublished": "2017-04-01T01:07:00",
"dateReserved": "2017-03-31T00:00:00",
"dateUpdated": "2024-08-05T15:56:36.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38530 (GCVE-0-2024-38530)
Vulnerability from nvd – Published: 2024-08-12 14:50 – Updated: 2024-08-12 15:30
VLAI?
Title
Open eClass Platform allows Arbitrary File Upload in "modules/h5p/save.php"
Summary
The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server's filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16.
Severity ?
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gunet | openeclass |
Affected:
<= 3.15
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"lessThanOrEqual": "3.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38530",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:29:07.998603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:30:52.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openeclass",
"vendor": "gunet",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the \"save\" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server\u0027s filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T14:50:32.285Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg"
},
{
"name": "https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191"
}
],
"source": {
"advisory": "GHSA-88c3-hp7p-grgg",
"discovery": "UNKNOWN"
},
"title": "Open eClass Platform allows Arbitrary File Upload in \"modules/h5p/save.php\""
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38530",
"datePublished": "2024-08-12T14:50:32.285Z",
"dateReserved": "2024-06-18T16:37:02.729Z",
"dateUpdated": "2024-08-12T15:30:52.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31777 (GCVE-0-2024-31777)
Vulnerability from nvd – Published: 2024-06-13 00:00 – Updated: 2024-09-06 16:39
VLAI?
Summary
File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FreySolarEye/Exploit-CVE-2024-31777"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"lessThanOrEqual": "3.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31777",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:37:06.238303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T16:39:13.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T22:26:20.009845",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FreySolarEye/Exploit-CVE-2024-31777"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-31777",
"datePublished": "2024-06-13T00:00:00",
"dateReserved": "2024-04-05T00:00:00",
"dateUpdated": "2024-09-06T16:39:13.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33253 (GCVE-0-2024-33253)
Vulnerability from nvd – Published: 2024-06-13 00:00 – Updated: 2024-08-02 02:27
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in GUnet OpenEclass E-learning Platform version 3.15 and before allows a authenticated privileged attacker to execute arbitrary code via the title and description fields of the badge template editing function.
Severity ?
6 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"lessThanOrEqual": "3.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T16:05:39.482969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T16:09:09.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:53.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FreySolarEye/CVE/blob/master/GUnet%20OpenEclass%20E-learning%20platform%203.15%20-%20%27certbadge.php%27%20Stored%20Cross%20Site%20Scripting"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in GUnet OpenEclass E-learning Platform version 3.15 and before allows a authenticated privileged attacker to execute arbitrary code via the title and description fields of the badge template editing function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T22:27:23.672500",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FreySolarEye/CVE/blob/master/GUnet%20OpenEclass%20E-learning%20platform%203.15%20-%20%27certbadge.php%27%20Stored%20Cross%20Site%20Scripting"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33253",
"datePublished": "2024-06-13T00:00:00",
"dateReserved": "2024-04-23T00:00:00",
"dateUpdated": "2024-08-02T02:27:53.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26503 (GCVE-0-2024-26503)
Vulnerability from nvd – Published: 2024-03-14 00:00 – Updated: 2024-08-28 15:03
VLAI?
Summary
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.
Severity ?
9.1 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gunet:open_eclass_platform:3.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "open_eclass_platform",
"vendor": "gunet",
"versions": [
{
"status": "affected",
"version": "3.15"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26503",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T18:35:29.268660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T15:03:36.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-14T21:18:24.504633",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.less-secure.com/2024/03/open-eclass-cve-2024-26503-unrestricted.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-26503",
"datePublished": "2024-03-14T00:00:00",
"dateReserved": "2024-02-19T00:00:00",
"dateUpdated": "2024-08-28T15:03:36.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33116 (GCVE-0-2022-33116)
Vulnerability from nvd – Published: 2022-06-27 20:42 – Updated: 2024-08-03 08:01
VLAI?
Summary
An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:19.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openeclass.org/en/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gunet/openeclass"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T20:42:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openeclass.org/en/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gunet/openeclass"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-33116",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openeclass.org/en/",
"refsource": "MISC",
"url": "https://www.openeclass.org/en/"
},
{
"name": "https://github.com/gunet/openeclass",
"refsource": "MISC",
"url": "https://github.com/gunet/openeclass"
},
{
"name": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php",
"refsource": "MISC",
"url": "https://hg.gunet.gr/openeclass/diff/cbfc90094d51/modules/mindmap/index.php"
},
{
"name": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/",
"refsource": "MISC",
"url": "https://emaragkos.gr/gunet-open-eclass-authenticated-path-traversal/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-33116",
"datePublished": "2022-06-27T20:42:01",
"dateReserved": "2022-06-13T00:00:00",
"dateUpdated": "2024-08-03T08:01:19.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7389 (GCVE-0-2017-7389)
Vulnerability from nvd – Published: 2017-04-01 01:07 – Updated: 2024-08-05 15:56
VLAI?
Summary
Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Release_3.5.4'. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the 'openeclass-master/modules/tc/webconf/webconf.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.467Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97310",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97310"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gunet/openeclass/issues/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) were discovered in \u0027openeclass Release_3.5.4\u0027. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the \u0027openeclass-master/modules/tc/webconf/webconf.php\u0027 URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-04T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "97310",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97310"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gunet/openeclass/issues/11"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7389",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Cross-Site Scripting (XSS) were discovered in \u0027openeclass Release_3.5.4\u0027. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the \u0027openeclass-master/modules/tc/webconf/webconf.php\u0027 URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "97310",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97310"
},
{
"name": "https://github.com/gunet/openeclass/issues/11",
"refsource": "CONFIRM",
"url": "https://github.com/gunet/openeclass/issues/11"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7389",
"datePublished": "2017-04-01T01:07:00",
"dateReserved": "2017-03-31T00:00:00",
"dateUpdated": "2024-08-05T15:56:36.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}