Search criteria
18 vulnerabilities found for vince by cert
FKIE_CVE-2024-10469
Vulnerability from fkie_nvd - Published: 2024-10-28 16:15 - Updated: 2025-03-17 17:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
References
| URL | Tags | ||
|---|---|---|---|
| cret@cert.org | https://github.com/CERTCC/VINCE/ | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2518DB5A-BCCA-42BD-9E24-D283F33423B1",
"versionEndExcluding": "3.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
},
{
"lang": "es",
"value": "Las versiones de VINCE anteriores a 3.0.9 son vulnerables a la exposici\u00f3n de informaci\u00f3n del usuario a usuarios autenticados."
}
],
"id": "CVE-2024-10469",
"lastModified": "2025-03-17T17:15:20.267",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-28T16:15:03.667",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Product"
],
"url": "https://github.com/CERTCC/VINCE/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-9953
Vulnerability from fkie_nvd - Published: 2024-10-14 22:15 - Updated: 2025-03-20 19:15
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C544DF4-D81C-4B8B-BF53-36E89EE2D4AA",
"versionEndExcluding": "3.0.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user\u2019s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de denegaci\u00f3n de servicio potencial en el software CERT VINCE anterior a la versi\u00f3n 3.0.8. Un usuario administrativo autenticado puede inyectar un objeto pickle arbitrario como parte del perfil de un usuario. Esto puede provocar una posible denegaci\u00f3n de servicio en el servidor cuando se accede al perfil del usuario. El servidor Django impide que la desinstalaci\u00f3n del pickle haga que el servidor se bloquee."
}
],
"id": "CVE-2024-9953",
"lastModified": "2025-03-20T19:15:36.063",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-14T22:15:03.957",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Patch"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-40238
Vulnerability from fkie_nvd - Published: 2022-10-26 16:15 - Updated: 2025-05-07 14:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
References
| URL | Tags | ||
|---|---|---|---|
| cret@cert.org | https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58F8BC83-A575-47AB-A806-08EEFF4C7992",
"versionEndExcluding": "1.50.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user\u0027s profile. This can lead to code execution on the server when the user\u0027s profile is accessed."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de inyecci\u00f3n remota de c\u00f3digo en el software CERT versiones anteriores a 1.50.5. Un atacante autenticado puede inyectar un objeto pickle arbitrario como parte del perfil de un usuario. Esto puede conllevar a una ejecuci\u00f3n de c\u00f3digo en el servidor cuando accede al perfil del usuario"
}
],
"id": "CVE-2022-40238",
"lastModified": "2025-05-07T14:15:32.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-26T16:15:11.757",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-40257
Vulnerability from fkie_nvd - Published: 2022-10-10 20:15 - Updated: 2024-11-21 07:21
Severity ?
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
References
| URL | Tags | ||
|---|---|---|---|
| cret@cert.org | https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*",
"matchCriteriaId": "841576D6-9C93-404A-8249-AD59C0B276DD",
"versionEndExcluding": "1.50.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de inyecci\u00f3n HTML en el software CERT/CC VINCE versiones anteriores a 1.50.4. Un atacante autenticado puede inyectar HTML arbitrario por medio de un correo electr\u00f3nico dise\u00f1ado con contenido HTML en el campo Subject"
}
],
"id": "CVE-2022-40257",
"lastModified": "2024-11-21T07:21:08.547",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-10T20:15:09.793",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-40248
Vulnerability from fkie_nvd - Published: 2022-10-10 20:15 - Updated: 2024-11-21 07:21
Severity ?
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.
References
| URL | Tags | ||
|---|---|---|---|
| cret@cert.org | https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*",
"matchCriteriaId": "841576D6-9C93-404A-8249-AD59C0B276DD",
"versionEndExcluding": "1.50.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the \"Product Affected\" field."
},
{
"lang": "es",
"value": "El software CERT/CC VINCE versiones anteriores a 1.50.4 presenta una vulnerabilidad de inyecci\u00f3n de HTML. Un atacante autenticado puede inyectar HTML arbitrario por medio de un formulario usando el campo \"Product Affected\""
}
],
"id": "CVE-2022-40248",
"lastModified": "2024-11-21T07:21:08.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-10T20:15:09.727",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-25799
Vulnerability from fkie_nvd - Published: 2022-08-16 22:15 - Updated: 2024-11-21 06:53
Severity ?
Summary
An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.
References
| URL | Tags | ||
|---|---|---|---|
| cret@cert.org | https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html | Exploit, Third Party Advisory | |
| cret@cert.org | https://github.com/CERTCC/VINCE/issues/45 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/CERTCC/VINCE/issues/45 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*",
"matchCriteriaId": "996A047E-B6BD-4CA2-AFFE-25FD35000D66",
"versionEndExcluding": "1.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user\u0027s browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user\u0027s credentials."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de redirecci\u00f3n abierta en el software CERT/CC VINCE anterior a la versi\u00f3n 1.50.0. Un atacante podr\u00eda enviar un enlace con una URL especialmente dise\u00f1ada y convencer al usuario de que haga clic en el enlace. Cuando un usuario autenticado hace clic en el enlace, el navegador del usuario autenticado podr\u00eda ser redirigido a un sitio malicioso que est\u00e1 dise\u00f1ado para hacerse pasar por un sitio web leg\u00edtimo. El atacante podr\u00eda enga\u00f1ar al usuario y potencialmente adquirir informaci\u00f3n sensible como las credenciales del usuario"
}
],
"id": "CVE-2022-25799",
"lastModified": "2024-11-21T06:53:01.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-16T22:15:08.147",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues/45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-10469 (GCVE-0-2024-10469)
Vulnerability from cvelistv5 – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
VLAI?
Title
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
Severity ?
4.4 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
This issues was reported by an internal user of VINCE
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T20:33:48.131122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:23:01.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issues was reported by an internal user of VINCE"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T22:10:00.825Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VINCE Project open source repository",
"url": "https://github.com/CERTCC/VINCE/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-10469",
"datePublished": "2024-10-28T15:38:29.062Z",
"dateReserved": "2024-10-28T15:20:34.868Z",
"dateUpdated": "2025-08-25T22:10:00.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9953 (GCVE-0-2024-9953)
Vulnerability from cvelistv5 – Published: 2024-10-14 21:19 – Updated: 2025-03-20 18:58
VLAI?
Title
Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8
Summary
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
Severity ?
4.9 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - Vulnerability Information and Coordination Environment |
Affected:
* , < 3.0.8
(custom)
|
Credits
Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-9953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:41:05.626356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:58:47.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE - Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process."
}
],
"descriptions": [
{
"lang": "en",
"value": "A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user\u2019s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:14:26.539Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERT/CC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-9953",
"datePublished": "2024-10-14T21:19:26.517Z",
"dateReserved": "2024-10-14T20:49:18.194Z",
"dateUpdated": "2025-03-20T18:58:47.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40238 (GCVE-0-2022-40238)
Vulnerability from cvelistv5 – Published: 2022-10-26 15:15 – Updated: 2025-05-07 13:31
VLAI?
Title
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5
Summary
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.5
(custom)
|
Credits
Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:31:11.683062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:31:41.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.5",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC "
}
],
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user\u0027s profile. This can lead to code execution on the server when the user\u0027s profile is accessed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:36:54.112Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40238",
"datePublished": "2022-10-26T15:15:45.247Z",
"dateReserved": "2022-09-08T19:14:18.690Z",
"dateUpdated": "2025-05-07T13:31:41.213Z",
"requesterUserId": "b7e00183-089e-4194-bbe8-4b7d6adf6c7f",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40257 (GCVE-0-2022-40257)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment ",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC "
}
],
"datePublic": "2022-10-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:41.256Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40257",
"datePublished": "2022-10-10T00:00:00",
"dateReserved": "2022-09-08T00:00:00",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40248 (GCVE-0-2022-40248)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment ",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC "
}
],
"datePublic": "2022-10-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the \"Product Affected\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:23.260Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40248",
"datePublished": "2022-10-10T00:00:00",
"dateReserved": "2022-09-08T00:00:00",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25799 (GCVE-0-2022-25799)
Vulnerability from cvelistv5 – Published: 2022-08-16 22:00 – Updated: 2024-09-17 02:06
VLAI?
Title
An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0
Summary
An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.
Severity ?
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.50.0 , < 1.50.0
(custom)
|
Credits
Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.0",
"status": "affected",
"version": "1.50.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user\u0027s browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user\u0027s credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0"
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-25799",
"datePublished": "2022-08-16T22:00:15.993170Z",
"dateReserved": "2022-02-22T00:00:00",
"dateUpdated": "2024-09-17T02:06:51.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10469 (GCVE-0-2024-10469)
Vulnerability from nvd – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
VLAI?
Title
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
Severity ?
4.4 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
This issues was reported by an internal user of VINCE
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T20:33:48.131122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:23:01.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issues was reported by an internal user of VINCE"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T22:10:00.825Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VINCE Project open source repository",
"url": "https://github.com/CERTCC/VINCE/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-10469",
"datePublished": "2024-10-28T15:38:29.062Z",
"dateReserved": "2024-10-28T15:20:34.868Z",
"dateUpdated": "2025-08-25T22:10:00.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9953 (GCVE-0-2024-9953)
Vulnerability from nvd – Published: 2024-10-14 21:19 – Updated: 2025-03-20 18:58
VLAI?
Title
Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8
Summary
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
Severity ?
4.9 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - Vulnerability Information and Coordination Environment |
Affected:
* , < 3.0.8
(custom)
|
Credits
Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-9953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:41:05.626356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:58:47.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE - Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process."
}
],
"descriptions": [
{
"lang": "en",
"value": "A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user\u2019s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:14:26.539Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERT/CC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-9953",
"datePublished": "2024-10-14T21:19:26.517Z",
"dateReserved": "2024-10-14T20:49:18.194Z",
"dateUpdated": "2025-03-20T18:58:47.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40238 (GCVE-0-2022-40238)
Vulnerability from nvd – Published: 2022-10-26 15:15 – Updated: 2025-05-07 13:31
VLAI?
Title
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5
Summary
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.5
(custom)
|
Credits
Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:31:11.683062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:31:41.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.5",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC "
}
],
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user\u0027s profile. This can lead to code execution on the server when the user\u0027s profile is accessed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:36:54.112Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40238",
"datePublished": "2022-10-26T15:15:45.247Z",
"dateReserved": "2022-09-08T19:14:18.690Z",
"dateUpdated": "2025-05-07T13:31:41.213Z",
"requesterUserId": "b7e00183-089e-4194-bbe8-4b7d6adf6c7f",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40257 (GCVE-0-2022-40257)
Vulnerability from nvd – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment ",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC "
}
],
"datePublic": "2022-10-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:41.256Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40257",
"datePublished": "2022-10-10T00:00:00",
"dateReserved": "2022-09-08T00:00:00",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40248 (GCVE-0-2022-40248)
Vulnerability from nvd – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment ",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC "
}
],
"datePublic": "2022-10-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the \"Product Affected\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:23.260Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40248",
"datePublished": "2022-10-10T00:00:00",
"dateReserved": "2022-09-08T00:00:00",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25799 (GCVE-0-2022-25799)
Vulnerability from nvd – Published: 2022-08-16 22:00 – Updated: 2024-09-17 02:06
VLAI?
Title
An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0
Summary
An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.
Severity ?
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.50.0 , < 1.50.0
(custom)
|
Credits
Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.0",
"status": "affected",
"version": "1.50.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user\u0027s browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user\u0027s credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0"
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-25799",
"datePublished": "2022-08-16T22:00:15.993170Z",
"dateReserved": "2022-02-22T00:00:00",
"dateUpdated": "2024-09-17T02:06:51.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}