Search criteria
11 vulnerabilities found for vulnerability-lookup by CIRCL
GCVE-1-2025-0009
Vulnerability from gna-1 – Published: 2025-10-13 09:20 – Updated: 2025-10-13 09:20
VLAI?
Summary
A pre-auth user could self-assign a reporter without being authenticated
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
|
Credits
🕵️♂️ Jeroen Pinoy - @Wachizungu 🐞
Cedric Bonhomme
📸 Alexandre Dulaunoy 🎨
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy - @Wachizungu"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Cedric Bonhomme"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A pre-auth user could self-assign a reporter without being authenticated"
}
],
"value": "A pre-auth user could self-assign a reporter without being authenticated"
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/6f7b4af932ebd04fa899eb7780fb6b007f442eac"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A pre-auth user could self-assign a reporter without being authenticated",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-10-13T09:20:24.800890Z",
"dateUpdated": "2025-10-13T09:20:24.800890Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0009",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T09:20:24.800890Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0008
Vulnerability from gna-1 – Published: 2025-10-13 09:10 – Updated: 2025-10-13 09:15
VLAI?
Summary
Logged users can view vulnerability disclosure comments if they know the ID instead of the limited view (date of disclosure).
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
|
Credits
🕵️♂️ Jeroen Pinoy - @Wachizungu 🐞
Cedric Bonhomme
📸 Alexandre Dulaunoy 🎨
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy - @Wachizungu"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Cedric Bonhomme"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Logged users can view vulnerability disclosure comments if they know the ID instead of the limited view (date of disclosure)."
}
],
"value": "Logged users can view vulnerability disclosure comments if they know the ID instead of the limited view (date of disclosure)."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/aabc899c7d76dca0cf66718bbd2fb95cfd31b0ed"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Logged users can view vulnerability disclosure comments if they know the ID",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-10-13T09:10:00.000Z",
"dateUpdated": "2025-10-13T09:15:31.637686Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0008",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T09:10:54.912715Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T09:15:31.637686Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0007
Vulnerability from gna-1 – Published: 2025-10-13 08:37 – Updated: 2025-10-13 08:51
VLAI?
Summary
Missing email validation on user management when user change his/her password which means no email validation would have been seen by the user. This GCVE vulnerability is more informational than a directly exploitable vulnerability.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
|
Credits
🕵️♂️ Jeroen Pinoy - @Wachizungu 🐞
Cedric Bonhomme
📸 Alexandre Dulaunoy 🎨
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy - @Wachizungu"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Cedric Bonhomme"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing email validation on user management when user change his/her password which means no email validation would have been seen by the user. This GCVE vulnerability is more informational than a directly exploitable vulnerability."
}
],
"value": "Missing email validation on user management when user change his/her password which means no email validation would have been seen by the user. This GCVE vulnerability is more informational than a directly exploitable vulnerability."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/S:N/AU:N/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/326ce42d8661603b4b3b3c5d45992758de0f804a"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing email validation on user management",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-10-13T08:37:00.000Z",
"dateUpdated": "2025-10-13T08:51:37.408861Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0007",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T08:37:18.494750Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T08:51:37.408861Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0006
Vulnerability from gna-1 – Published: 2025-10-13 08:29 – Updated: 2025-10-13 08:52
VLAI?
Summary
Potential self XSS in admin in the CPE add interface in the models/organization.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
|
Credits
🕵️♂️ Jeroen Pinoy - @Wachizungu 🐞
Cedric Bonhomme
📸 Alexandre Dulaunoy 🎨
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy - @Wachizungu"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Cedric Bonhomme"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Potential self XSS in admin in the CPE add interface in the models/organization."
}
],
"value": "Potential self XSS in admin in the CPE add interface in the models/organization."
}
],
"impacts": [
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/540366000f2fa27b08bbcc42b1e89927b68b9df6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential XSS in admin CPE in organization model",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-10-13T08:29:00.000Z",
"dateUpdated": "2025-10-13T08:52:23.411325Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0006",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T08:29:46.581792Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T08:52:23.411325Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0005
Vulnerability from gna-1 – Published: 2025-10-13 08:23 – Updated: 2025-10-13 08:23
VLAI?
Summary
Insecure use of Markup in views/home which leads to potential reflected XSS.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
≤ 2.16
|
Credits
🕵️♂️ Jeroen Pinoy - @Wachizungu 🐞
Cedric Bonhomme
📸 Alexandre Dulaunoy 🎨
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"lessThanOrEqual": "2.16",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy - @Wachizungu"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Cedric Bonhomme"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
}
],
"datePublic": "2025-10-10T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure use of Markup in views/home which leads to potential reflected XSS."
}
],
"value": "Insecure use of Markup in views/home which leads to potential reflected XSS."
}
],
"impacts": [
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/378ccdf95882d1a02576552e26ce222cde0bd636"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS due to insecure use of Markup",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-10-13T08:23:29.812914Z",
"dateUpdated": "2025-10-13T08:23:29.812914Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0005",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-10-13T08:23:29.812914Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0004
Vulnerability from gna-1 – Published: 2025-09-25 14:10 – Updated: 2025-11-19 10:16
VLAI?
Summary
A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Comments, Bundles, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
< 2.16.0
|
Credits
🕵️♂️ @Wachizungu 🐞
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"lessThan": "2.16.0",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "@Wachizungu"
},
{
"lang": "en",
"type": "finder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Comments, Bundles, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of \u003ccode\u003einnerHTML\u003c/code\u003e and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing \u003ccode\u003einnerHTML\u003c/code\u003e assignments with safer DOM methods, encoding URLs with \u003ccode\u003eencodeURIComponent\u003c/code\u003e, and improving input validation in the affected models."
}
],
"value": "A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Comments, Bundles, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/afa12347f1461d9481eba75ac19897e80a9c7434"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in Comments, Bundles, and Sightings component of vulnerability-lookup",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "cve-2025-60249",
"datePublished": "2025-09-25T14:10:00.000Z",
"dateUpdated": "2025-11-19T10:16:47.656802Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0004",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-09-25T14:10:26.445421Z"
],
[
"cedric.bonhomme@circl.lu",
"2025-11-19T10:16:47.656802Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0001
Vulnerability from gna-1 – Published: 2025-05-27 08:58 – Updated: 2025-05-30 14:27
VLAI?
Summary
The absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup |
Affected:
≤ 2.10.0
(semver)
|
Credits
Devansh Chauhan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vulnerability-Lookup",
"repo": "https://github.com/vulnerability-lookup/vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"changes": [
{
"at": "2.10.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.10.0",
"status": "affected",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Devansh Chauhan"
}
],
"datePublic": "2025-05-27T08:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/AU:Y/R:U/RE:L/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/cf9000ec0bb17b5d2ff8fe5177e5bd14d666bd08"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.10.1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "The absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-05-27T08:58:00.000Z",
"dateUpdated": "2025-05-30T14:27:56.273945Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0001",
"vulnerabilitylookup_history": [
[
"cedric.bonhomme@circl.lu",
"2025-05-27T08:58:26.587622Z"
],
[
"cedric.bonhomme@circl.lu",
"2025-05-27T12:19:23.219289Z"
],
[
"cedric.bonhomme@circl.lu",
"2025-05-27T12:22:53.439544Z"
],
[
"cedric.bonhomme@circl.lu",
"2025-05-27T12:23:35.245899Z"
],
[
"cedric.bonhomme@circl.lu",
"2025-05-30T14:18:32.214488Z"
],
[
"cedric.bonhomme@circl.lu",
"2025-05-30T14:27:56.273945Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-60249 (GCVE-0-2025-60249)
Vulnerability from cvelistv5 – Published: 2025-09-25 00:00 – Updated: 2025-09-26 17:44
VLAI?
Summary
vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
2.16.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-60249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T17:43:48.433562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T17:44:06.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"status": "affected",
"version": "2.16.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T17:14:03.641Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/afa12347f1461d9481eba75ac19897e80a9c7434"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-60249",
"datePublished": "2025-09-25T00:00:00.000Z",
"dateReserved": "2025-09-25T00:00:00.000Z",
"dateUpdated": "2025-09-26T17:44:06.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32413 (GCVE-0-2025-32413)
Vulnerability from cvelistv5 – Published: 2025-04-08 00:00 – Updated: 2025-04-08 14:52
VLAI?
Summary
Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup |
Affected:
0 , < 2.7.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T14:28:55.601560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T14:52:10.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vulnerability-Lookup",
"vendor": "CIRCL",
"versions": [
{
"lessThan": "2.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T02:27:52.326Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/0a120af1de4a0a13bc2e2000f3c4639291122ba0"
},
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/compare/v2.7.0...v2.7.1"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-32413",
"datePublished": "2025-04-08T00:00:00.000Z",
"dateReserved": "2025-04-08T00:00:00.000Z",
"dateUpdated": "2025-04-08T14:52:10.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-60249 (GCVE-0-2025-60249)
Vulnerability from nvd – Published: 2025-09-25 00:00 – Updated: 2025-09-26 17:44
VLAI?
Summary
vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | vulnerability-lookup |
Affected:
2.16.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-60249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T17:43:48.433562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T17:44:06.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "vulnerability-lookup",
"vendor": "CIRCL",
"versions": [
{
"status": "affected",
"version": "2.16.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T17:14:03.641Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/afa12347f1461d9481eba75ac19897e80a9c7434"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-60249",
"datePublished": "2025-09-25T00:00:00.000Z",
"dateReserved": "2025-09-25T00:00:00.000Z",
"dateUpdated": "2025-09-26T17:44:06.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32413 (GCVE-0-2025-32413)
Vulnerability from nvd – Published: 2025-04-08 00:00 – Updated: 2025-04-08 14:52
VLAI?
Summary
Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup |
Affected:
0 , < 2.7.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T14:28:55.601560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T14:52:10.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vulnerability-Lookup",
"vendor": "CIRCL",
"versions": [
{
"lessThan": "2.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T02:27:52.326Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/0a120af1de4a0a13bc2e2000f3c4639291122ba0"
},
{
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/compare/v2.7.0...v2.7.1"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-32413",
"datePublished": "2025-04-08T00:00:00.000Z",
"dateReserved": "2025-04-08T00:00:00.000Z",
"dateUpdated": "2025-04-08T14:52:10.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}