Search criteria
9 vulnerabilities found for part-db by part-db_project
FKIE_CVE-2025-55194
Vulnerability from fkie_nvd - Published: 2025-08-13 23:15 - Updated: 2025-08-26 19:17
Severity ?
Summary
Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| part-db_project | part-db | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:part-db_project:part-db:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F453A4D0-539A-4D14-B66E-7C9FC4C6B04F",
"versionEndExcluding": "1.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user\u2019s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3."
},
{
"lang": "es",
"value": "Part-DB es un sistema de gesti\u00f3n de inventario de c\u00f3digo abierto para componentes electr\u00f3nicos. Antes de la versi\u00f3n 1.17.3, cualquier usuario autenticado pod\u00eda subir una foto de perfil con una extensi\u00f3n de archivo enga\u00f1osa (p. ej., .jpg.txt), lo que provocaba un error interno del servidor 500 persistente al intentar ver o editar el perfil de dicho usuario. Esto hac\u00eda que el perfil fuera permanentemente inaccesible a trav\u00e9s de la interfaz de usuario, tanto para usuarios como para administradores, lo que constitu\u00eda una denegaci\u00f3n de servicio (DoS) en la interfaz de administraci\u00f3n de usuarios. Este problema se ha corregido en la versi\u00f3n 1.17.3."
}
],
"id": "CVE-2025-55194",
"lastModified": "2025-08-26T19:17:38.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-13T23:15:27.327",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-248"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-26042
Vulnerability from fkie_nvd - Published: 2023-02-27 15:15 - Updated: 2024-11-21 07:50
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| part-db_project | part-db | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:part-db_project:part-db:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFE67675-403E-49C9-99BE-E3B4B8BA3C18",
"versionEndExcluding": "1.0.2",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later."
}
],
"id": "CVE-2023-26042",
"lastModified": "2024-11-21T07:50:38.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-27T15:15:11.753",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Part-DB/Part-DB-server/pull/227"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Part-DB/Part-DB-server/pull/227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-0848
Vulnerability from fkie_nvd - Published: 2022-03-04 09:15 - Updated: 2024-11-21 06:39
Severity ?
Summary
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
References
| URL | Tags | ||
|---|---|---|---|
| security@huntr.dev | http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| security@huntr.dev | https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| part-db_project | part-db | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:part-db_project:part-db:*:*:*:*:*:*:*:*",
"matchCriteriaId": "854B4766-44A7-4A98-8687-874BED31CEDC",
"versionEndExcluding": "0.5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11."
},
{
"lang": "es",
"value": "Una Inyecci\u00f3n de Comandos del Sistema Operativo en el repositorio de GitHub part-db/part-db versiones anteriores a 0.5.11"
}
],
"id": "CVE-2022-0848",
"lastModified": "2024-11-21T06:39:31.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-04T09:15:07.647",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
},
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-55194 (GCVE-0-2025-55194)
Vulnerability from cvelistv5 – Published: 2025-08-13 22:46 – Updated: 2025-08-14 14:51
VLAI?
Title
Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload
Summary
Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.
Severity ?
5.7 (Medium)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Part-DB | Part-DB-server |
Affected:
< 1.17.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55194",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T14:33:50.624240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:51:03.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Part-DB-server",
"vendor": "Part-DB",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user\u2019s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T22:46:30.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa"
},
{
"name": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
}
],
"source": {
"advisory": "GHSA-7rv3-rcxv-69ww",
"discovery": "UNKNOWN"
},
"title": "Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55194",
"datePublished": "2025-08-13T22:46:30.217Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-08-14T14:51:03.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26042 (GCVE-0-2023-26042)
Vulnerability from cvelistv5 – Published: 2023-02-27 14:41 – Updated: 2025-03-10 17:48
VLAI?
Title
HTML/XSS injection possibilities in Part-DB
Summary
Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Part-DB | Part-DB-server |
Affected:
< 1.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.446Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/pull/227",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/pull/227"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T17:48:19.007569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T17:48:28.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Part-DB-server",
"vendor": "Part-DB",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:41:24.145Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/pull/227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/pull/227"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2"
}
],
"source": {
"advisory": "GHSA-9pmh-gmxx-rg2x",
"discovery": "UNKNOWN"
},
"title": "HTML/XSS injection possibilities in Part-DB "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-26042",
"datePublished": "2023-02-27T14:41:24.145Z",
"dateReserved": "2023-02-17T22:44:03.149Z",
"dateUpdated": "2025-03-10T17:48:28.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0848 (GCVE-0-2022-0848)
Vulnerability from cvelistv5 – Published: 2022-03-04 08:25 – Updated: 2024-08-02 23:40
VLAI?
Title
OS Command Injection in part-db/part-db
Summary
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
Severity ?
10 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| part-db | part-db/part-db |
Affected:
unspecified , < 0.5.11
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "part-db/part-db",
"vendor": "part-db",
"versions": [
{
"lessThan": "0.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T17:06:22",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
}
],
"source": {
"advisory": "3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in part-db/part-db",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0848",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in part-db/part-db"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "part-db/part-db",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.5.11"
}
]
}
}
]
},
"vendor_name": "part-db"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
},
{
"name": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95",
"refsource": "MISC",
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"name": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
}
]
},
"source": {
"advisory": "3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0848",
"datePublished": "2022-03-04T08:25:10",
"dateReserved": "2022-03-04T00:00:00",
"dateUpdated": "2024-08-02T23:40:04.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55194 (GCVE-0-2025-55194)
Vulnerability from nvd – Published: 2025-08-13 22:46 – Updated: 2025-08-14 14:51
VLAI?
Title
Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload
Summary
Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.
Severity ?
5.7 (Medium)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Part-DB | Part-DB-server |
Affected:
< 1.17.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55194",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T14:33:50.624240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:51:03.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Part-DB-server",
"vendor": "Part-DB",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user\u2019s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T22:46:30.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa"
},
{
"name": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
}
],
"source": {
"advisory": "GHSA-7rv3-rcxv-69ww",
"discovery": "UNKNOWN"
},
"title": "Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55194",
"datePublished": "2025-08-13T22:46:30.217Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-08-14T14:51:03.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26042 (GCVE-0-2023-26042)
Vulnerability from nvd – Published: 2023-02-27 14:41 – Updated: 2025-03-10 17:48
VLAI?
Title
HTML/XSS injection possibilities in Part-DB
Summary
Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Part-DB | Part-DB-server |
Affected:
< 1.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.446Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/pull/227",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/pull/227"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T17:48:19.007569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T17:48:28.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Part-DB-server",
"vendor": "Part-DB",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:41:24.145Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2x"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/pull/227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/pull/227"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e00d7347099"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2"
}
],
"source": {
"advisory": "GHSA-9pmh-gmxx-rg2x",
"discovery": "UNKNOWN"
},
"title": "HTML/XSS injection possibilities in Part-DB "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-26042",
"datePublished": "2023-02-27T14:41:24.145Z",
"dateReserved": "2023-02-17T22:44:03.149Z",
"dateUpdated": "2025-03-10T17:48:28.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0848 (GCVE-0-2022-0848)
Vulnerability from nvd – Published: 2022-03-04 08:25 – Updated: 2024-08-02 23:40
VLAI?
Title
OS Command Injection in part-db/part-db
Summary
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
Severity ?
10 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| part-db | part-db/part-db |
Affected:
unspecified , < 0.5.11
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "part-db/part-db",
"vendor": "part-db",
"versions": [
{
"lessThan": "0.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T17:06:22",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
}
],
"source": {
"advisory": "3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in part-db/part-db",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0848",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in part-db/part-db"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "part-db/part-db",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.5.11"
}
]
}
}
]
},
"vendor_name": "part-db"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6"
},
{
"name": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95",
"refsource": "MISC",
"url": "https://github.com/part-db/part-db/commit/9cd4eee393028aa4cab70fcbac284b0028c0bc95"
},
{
"name": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166217/part-db-0.5.11-Remote-Code-Execution.html"
}
]
},
"source": {
"advisory": "3e91685f-cfb9-4ee4-abaf-9b712a8fd5a6",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0848",
"datePublished": "2022-03-04T08:25:10",
"dateReserved": "2022-03-04T00:00:00",
"dateUpdated": "2024-08-02T23:40:04.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}