Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities by cybonet
CVE-2024-41695 (GCVE-0-2024-41695)
Vulnerability from cvelistv5 – Published: 2024-07-30 09:02 – Updated: 2024-08-02 04:46
VLAI
Title
Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Summary
Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp Mail Relay |
Affected:
All versions , < Upgrade to version 5.2.1 revision 20jun24 security update
(custom)
|
|
| cybonet | pineapp_mail_secure |
Affected:
0 , < 5.21_r20jun24
(custom)
cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:* |
Date Public
2024-07-30 08:55
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pineapp_mail_secure",
"vendor": "cybonet",
"versions": [
{
"lessThan": "5.21_r20jun24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T13:52:05.182971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T13:53:50.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PineApp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"lessThan": "Upgrade to version 5.2.1 revision 20jun24 security update",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal ,Moriel Harush"
}
],
"datePublic": "2024-07-30T08:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T09:02:21.051Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to version 5.2.1 revision 20jun24 security update\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to version 5.2.1 revision 20jun24 security update"
}
],
"source": {
"advisory": "ILVN-2023-0179",
"discovery": "UNKNOWN"
},
"title": "Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-41695",
"datePublished": "2024-07-30T09:02:21.051Z",
"dateReserved": "2024-07-21T07:20:40.643Z",
"dateUpdated": "2024-08-02T04:46:52.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41694 (GCVE-0-2024-41694)
Vulnerability from cvelistv5 – Published: 2024-07-30 09:01 – Updated: 2024-08-02 04:46
VLAI
Title
Cybonet – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
Cybonet - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp Mail Relay |
Affected:
All versions , < Upgrade to version 5.2.1 revision 20jun24 security update
(custom)
|
|
| cybonet | pineapp_mail_secure |
Affected:
0 , < 5.2.1_r20jun24
(custom)
cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:* |
Date Public
2024-07-30 08:55
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pineapp_mail_secure",
"vendor": "cybonet",
"versions": [
{
"lessThan": "5.2.1_r20jun24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T13:18:26.703776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T13:50:54.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PineApp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"lessThan": "Upgrade to version 5.2.1 revision 20jun24 security update",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal ,Moriel Harush"
}
],
"datePublic": "2024-07-30T08:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCybonet - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Cybonet - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T09:01:27.183Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to version 5.2.1 revision 20jun24 security update\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to version 5.2.1 revision 20jun24 security update"
}
],
"source": {
"advisory": "ILVN-2023-0178",
"discovery": "UNKNOWN"
},
"title": "Cybonet \u2013 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-41694",
"datePublished": "2024-07-30T09:01:27.183Z",
"dateReserved": "2024-07-21T07:20:40.643Z",
"dateUpdated": "2024-08-02T04:46:52.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31183 (GCVE-0-2023-31183)
Vulnerability from cvelistv5 – Published: 2023-05-08 00:00 – Updated: 2025-01-29 16:11
VLAI
Title
Cybonet PineApp Mail Secure RXSS vulnerability
Summary
Cybonet PineApp Mail Secure A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
Date Public
2023-05-08 11:19
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T16:11:25.584338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T16:11:35.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PineApp",
"vendor": "Cybonet",
"versions": [
{
"lessThan": "Upgrade to version 1.0.10.1646",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Levi"
}
],
"datePublic": "2023-05-08T11:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e Cybonet PineApp Mail Secure\u0026nbsp;A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e\n\n"
}
],
"value": "\n Cybonet PineApp Mail Secure\u00a0A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.\n\n\n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-17T22:01:52.812Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to version 1.0.10.1646\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nUpgrade to version 1.0.10.1646\n\n\n"
}
],
"source": {
"advisory": "ILVN-2023-0100",
"discovery": "UNKNOWN"
},
"title": " Cybonet PineApp Mail Secure RXSS vulnerability",
"x_generator": {
"engine": "SecretariatVulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2023-31183",
"datePublished": "2023-05-08T00:00:00.000Z",
"dateReserved": "2023-04-24T23:25:07.107Z",
"dateUpdated": "2025-01-29T16:11:35.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22793 (GCVE-0-2022-22793)
Vulnerability from cvelistv5 – Published: 2022-02-24 16:14 – Updated: 2024-09-16 16:52
VLAI
Title
Cybonet - PineApp Mail Relay Local File Inclusion
Summary
Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server.
Severity
6.1 (Medium)
CWE
- Local File Inclusion
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | Pineapp Mail Relay |
Affected:
PineApp Latest
|
Date Public
2022-02-14 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pineapp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp Latest"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dudu Moyal - Sophtix Security LTD"
}
],
"datePublic": "2022-02-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Inclusion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T16:14:16.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "A patch was released with code hardening by limiting the file path"
}
],
"source": {
"defect": [
"ILVN-2022-0014"
],
"discovery": "INTERNAL"
},
"title": "Cybonet - PineApp Mail Relay Local File Inclusion",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "INCD",
"ASSIGNER": "cna@cyber.gov.il",
"DATE_PUBLIC": "2022-02-14T10:16:00.000Z",
"ID": "CVE-2022-22793",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp Mail Relay Local File Inclusion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pineapp Mail Relay",
"version": {
"version_data": [
{
"version_name": "PineApp",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Dudu Moyal - Sophtix Security LTD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Inclusion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "A patch was released with code hardening by limiting the file path"
}
],
"source": {
"defect": [
"ILVN-2022-0014"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2022-22793",
"datePublished": "2022-02-24T16:14:16.769Z",
"dateReserved": "2022-01-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:52:49.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22794 (GCVE-0-2022-22794)
Vulnerability from cvelistv5 – Published: 2022-02-24 16:14 – Updated: 2024-09-17 03:44
VLAI
Title
Cybonet - PineApp Mail Relay Unauthenticated Sql Injection
Summary
Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner.
Severity
6.8 (Medium)
CWE
- Unauthenticated Sql Injection to Remote Code Execution.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | Pineapp Mail Relay |
Affected:
PineApp Latest
|
Date Public
2022-02-14 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pineapp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp Latest"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dudu Moyal - Sophtix Security LTD"
},
{
"lang": "en",
"value": "Gad Abuhatzeira - Sophtix Security LTD"
}
],
"datePublic": "2022-02-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthenticated Sql Injection to Remote Code Execution.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T16:14:15.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "A patch was released with a hardening of the input validation"
}
],
"source": {
"defect": [
"ILVN-2022-0015"
],
"discovery": "INTERNAL"
},
"title": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "INCD",
"ASSIGNER": "cna@cyber.gov.il",
"DATE_PUBLIC": "2022-02-14T10:16:00.000Z",
"ID": "CVE-2022-22794",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pineapp Mail Relay",
"version": {
"version_data": [
{
"version_name": "PineApp",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Dudu Moyal - Sophtix Security LTD"
},
{
"lang": "eng",
"value": "Gad Abuhatzeira - Sophtix Security LTD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unauthenticated Sql Injection to Remote Code Execution."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "A patch was released with a hardening of the input validation"
}
],
"source": {
"defect": [
"ILVN-2022-0015"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2022-22794",
"datePublished": "2022-02-24T16:14:15.767Z",
"dateReserved": "2022-01-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:44:00.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36719 (GCVE-0-2021-36719)
Vulnerability from cvelistv5 – Published: 2021-12-08 19:25 – Updated: 2024-08-04 01:01
VLAI
Title
Cybonet - PineApp
Summary
PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code.
Severity
No CVSS data available.
CWE
- Authenticated RCE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | third-party-advisoryx_refsource_CERT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp - Mail Secure |
Affected:
PineApp - Mail Secure Latest
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:58.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PineApp - Mail Secure",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp - Mail Secure Latest"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authenticated RCE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-08T19:25:16.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "Code hardening by limiting the upload file to only limited images file types"
}
],
"source": {
"advisory": "ILVN-2021-0004",
"defect": [
"ILVN-2021-0004"
],
"discovery": "EXTERNAL"
},
"title": "Cybonet - PineApp",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-36719",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PineApp - Mail Secure",
"version": {
"version_data": [
{
"version_name": "PineApp - Mail Secure",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authenticated RCE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "INCD CVE Advisories",
"refsource": "CERT",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "Code hardening by limiting the upload file to only limited images file types"
}
],
"source": {
"advisory": "ILVN-2021-0004",
"defect": [
"ILVN-2021-0004"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-36719",
"datePublished": "2021-12-08T19:25:16.000Z",
"dateReserved": "2021-07-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:01:58.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36720 (GCVE-0-2021-36720)
Vulnerability from cvelistv5 – Published: 2021-12-08 19:24 – Updated: 2024-08-04 01:01
VLAI
Title
Cybonet - PineApp
Summary
PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=<script>alert(1)</script> and stealing cookies .
Severity
No CVSS data available.
CWE
- Reflected XSS
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | third-party-advisoryx_refsource_CERT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp - Mail Secure |
Affected:
PineApp - Mail Secure Latest
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:58.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PineApp - Mail Secure",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp - Mail Secure Latest"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=\u003cscript\u003ealert(1)\u003c/script\u003e and stealing cookies ."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-08T19:24:46.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 5.2.1 - Code hardening by adding an extra layer of input validations"
}
],
"source": {
"advisory": "ILVN-2021-0005",
"defect": [
"ILVN-2021-0005"
],
"discovery": "EXTERNAL"
},
"title": "Cybonet - PineApp",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-36720",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PineApp - Mail Secure",
"version": {
"version_data": [
{
"version_name": "PineApp - Mail Secure",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=\u003cscript\u003ealert(1)\u003c/script\u003e and stealing cookies ."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reflected XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "INCD CVE Advisories",
"refsource": "CERT",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 5.2.1 - Code hardening by adding an extra layer of input validations"
}
],
"source": {
"advisory": "ILVN-2021-0005",
"defect": [
"ILVN-2021-0005"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-36720",
"datePublished": "2021-12-08T19:24:46.000Z",
"dateReserved": "2021-07-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:01:58.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41695 (GCVE-0-2024-41695)
Vulnerability from nvd – Published: 2024-07-30 09:02 – Updated: 2024-08-02 04:46
VLAI
Title
Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Summary
Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp Mail Relay |
Affected:
All versions , < Upgrade to version 5.2.1 revision 20jun24 security update
(custom)
|
|
| cybonet | pineapp_mail_secure |
Affected:
0 , < 5.21_r20jun24
(custom)
cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:* |
Date Public
2024-07-30 08:55
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pineapp_mail_secure",
"vendor": "cybonet",
"versions": [
{
"lessThan": "5.21_r20jun24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T13:52:05.182971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T13:53:50.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PineApp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"lessThan": "Upgrade to version 5.2.1 revision 20jun24 security update",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal ,Moriel Harush"
}
],
"datePublic": "2024-07-30T08:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T09:02:21.051Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to version 5.2.1 revision 20jun24 security update\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to version 5.2.1 revision 20jun24 security update"
}
],
"source": {
"advisory": "ILVN-2023-0179",
"discovery": "UNKNOWN"
},
"title": "Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-41695",
"datePublished": "2024-07-30T09:02:21.051Z",
"dateReserved": "2024-07-21T07:20:40.643Z",
"dateUpdated": "2024-08-02T04:46:52.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41694 (GCVE-0-2024-41694)
Vulnerability from nvd – Published: 2024-07-30 09:01 – Updated: 2024-08-02 04:46
VLAI
Title
Cybonet – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
Cybonet - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp Mail Relay |
Affected:
All versions , < Upgrade to version 5.2.1 revision 20jun24 security update
(custom)
|
|
| cybonet | pineapp_mail_secure |
Affected:
0 , < 5.2.1_r20jun24
(custom)
cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:* |
Date Public
2024-07-30 08:55
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cybonet:pineapp_mail_secure:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pineapp_mail_secure",
"vendor": "cybonet",
"versions": [
{
"lessThan": "5.2.1_r20jun24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T13:18:26.703776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T13:50:54.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PineApp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"lessThan": "Upgrade to version 5.2.1 revision 20jun24 security update",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal ,Moriel Harush"
}
],
"datePublic": "2024-07-30T08:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCybonet - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Cybonet - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T09:01:27.183Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to version 5.2.1 revision 20jun24 security update\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to version 5.2.1 revision 20jun24 security update"
}
],
"source": {
"advisory": "ILVN-2023-0178",
"discovery": "UNKNOWN"
},
"title": "Cybonet \u2013 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-41694",
"datePublished": "2024-07-30T09:01:27.183Z",
"dateReserved": "2024-07-21T07:20:40.643Z",
"dateUpdated": "2024-08-02T04:46:52.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31183 (GCVE-0-2023-31183)
Vulnerability from nvd – Published: 2023-05-08 00:00 – Updated: 2025-01-29 16:11
VLAI
Title
Cybonet PineApp Mail Secure RXSS vulnerability
Summary
Cybonet PineApp Mail Secure A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
Date Public
2023-05-08 11:19
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T16:11:25.584338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T16:11:35.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PineApp",
"vendor": "Cybonet",
"versions": [
{
"lessThan": "Upgrade to version 1.0.10.1646",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Levi"
}
],
"datePublic": "2023-05-08T11:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e Cybonet PineApp Mail Secure\u0026nbsp;A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e\n\n"
}
],
"value": "\n Cybonet PineApp Mail Secure\u00a0A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.\n\n\n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-17T22:01:52.812Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to version 1.0.10.1646\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nUpgrade to version 1.0.10.1646\n\n\n"
}
],
"source": {
"advisory": "ILVN-2023-0100",
"discovery": "UNKNOWN"
},
"title": " Cybonet PineApp Mail Secure RXSS vulnerability",
"x_generator": {
"engine": "SecretariatVulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2023-31183",
"datePublished": "2023-05-08T00:00:00.000Z",
"dateReserved": "2023-04-24T23:25:07.107Z",
"dateUpdated": "2025-01-29T16:11:35.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22794 (GCVE-0-2022-22794)
Vulnerability from nvd – Published: 2022-02-24 16:14 – Updated: 2024-09-17 03:44
VLAI
Title
Cybonet - PineApp Mail Relay Unauthenticated Sql Injection
Summary
Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner.
Severity
6.8 (Medium)
CWE
- Unauthenticated Sql Injection to Remote Code Execution.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | Pineapp Mail Relay |
Affected:
PineApp Latest
|
Date Public
2022-02-14 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pineapp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp Latest"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dudu Moyal - Sophtix Security LTD"
},
{
"lang": "en",
"value": "Gad Abuhatzeira - Sophtix Security LTD"
}
],
"datePublic": "2022-02-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthenticated Sql Injection to Remote Code Execution.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T16:14:15.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "A patch was released with a hardening of the input validation"
}
],
"source": {
"defect": [
"ILVN-2022-0015"
],
"discovery": "INTERNAL"
},
"title": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "INCD",
"ASSIGNER": "cna@cyber.gov.il",
"DATE_PUBLIC": "2022-02-14T10:16:00.000Z",
"ID": "CVE-2022-22794",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pineapp Mail Relay",
"version": {
"version_data": [
{
"version_name": "PineApp",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Dudu Moyal - Sophtix Security LTD"
},
{
"lang": "eng",
"value": "Gad Abuhatzeira - Sophtix Security LTD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unauthenticated Sql Injection to Remote Code Execution."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "A patch was released with a hardening of the input validation"
}
],
"source": {
"defect": [
"ILVN-2022-0015"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2022-22794",
"datePublished": "2022-02-24T16:14:15.767Z",
"dateReserved": "2022-01-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:44:00.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22793 (GCVE-0-2022-22793)
Vulnerability from nvd – Published: 2022-02-24 16:14 – Updated: 2024-09-16 16:52
VLAI
Title
Cybonet - PineApp Mail Relay Local File Inclusion
Summary
Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server.
Severity
6.1 (Medium)
CWE
- Local File Inclusion
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | Pineapp Mail Relay |
Affected:
PineApp Latest
|
Date Public
2022-02-14 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pineapp Mail Relay",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp Latest"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dudu Moyal - Sophtix Security LTD"
}
],
"datePublic": "2022-02-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Inclusion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T16:14:16.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "A patch was released with code hardening by limiting the file path"
}
],
"source": {
"defect": [
"ILVN-2022-0014"
],
"discovery": "INTERNAL"
},
"title": "Cybonet - PineApp Mail Relay Local File Inclusion",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "INCD",
"ASSIGNER": "cna@cyber.gov.il",
"DATE_PUBLIC": "2022-02-14T10:16:00.000Z",
"ID": "CVE-2022-22793",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp Mail Relay Local File Inclusion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pineapp Mail Relay",
"version": {
"version_data": [
{
"version_name": "PineApp",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Dudu Moyal - Sophtix Security LTD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Inclusion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "A patch was released with code hardening by limiting the file path"
}
],
"source": {
"defect": [
"ILVN-2022-0014"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2022-22793",
"datePublished": "2022-02-24T16:14:16.769Z",
"dateReserved": "2022-01-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:52:49.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36719 (GCVE-0-2021-36719)
Vulnerability from nvd – Published: 2021-12-08 19:25 – Updated: 2024-08-04 01:01
VLAI
Title
Cybonet - PineApp
Summary
PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code.
Severity
No CVSS data available.
CWE
- Authenticated RCE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | third-party-advisoryx_refsource_CERT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp - Mail Secure |
Affected:
PineApp - Mail Secure Latest
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:58.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PineApp - Mail Secure",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp - Mail Secure Latest"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authenticated RCE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-08T19:25:16.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "Code hardening by limiting the upload file to only limited images file types"
}
],
"source": {
"advisory": "ILVN-2021-0004",
"defect": [
"ILVN-2021-0004"
],
"discovery": "EXTERNAL"
},
"title": "Cybonet - PineApp",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-36719",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PineApp - Mail Secure",
"version": {
"version_data": [
{
"version_name": "PineApp - Mail Secure",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authenticated RCE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "INCD CVE Advisories",
"refsource": "CERT",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "Code hardening by limiting the upload file to only limited images file types"
}
],
"source": {
"advisory": "ILVN-2021-0004",
"defect": [
"ILVN-2021-0004"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-36719",
"datePublished": "2021-12-08T19:25:16.000Z",
"dateReserved": "2021-07-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:01:58.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36720 (GCVE-0-2021-36720)
Vulnerability from nvd – Published: 2021-12-08 19:24 – Updated: 2024-08-04 01:01
VLAI
Title
Cybonet - PineApp
Summary
PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=<script>alert(1)</script> and stealing cookies .
Severity
No CVSS data available.
CWE
- Reflected XSS
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/departments/faq/cve_advisories | third-party-advisoryx_refsource_CERT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cybonet | PineApp - Mail Secure |
Affected:
PineApp - Mail Secure Latest
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:58.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PineApp - Mail Secure",
"vendor": "Cybonet",
"versions": [
{
"status": "affected",
"version": "PineApp - Mail Secure Latest"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=\u003cscript\u003ealert(1)\u003c/script\u003e and stealing cookies ."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-08T19:24:46.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"name": "INCD CVE Advisories",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 5.2.1 - Code hardening by adding an extra layer of input validations"
}
],
"source": {
"advisory": "ILVN-2021-0005",
"defect": [
"ILVN-2021-0005"
],
"discovery": "EXTERNAL"
},
"title": "Cybonet - PineApp",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-36720",
"STATE": "PUBLIC",
"TITLE": "Cybonet - PineApp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PineApp - Mail Secure",
"version": {
"version_data": [
{
"version_name": "PineApp - Mail Secure",
"version_value": "Latest"
}
]
}
}
]
},
"vendor_name": "Cybonet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=\u003cscript\u003ealert(1)\u003c/script\u003e and stealing cookies ."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reflected XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "INCD CVE Advisories",
"refsource": "CERT",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 5.2.1 - Code hardening by adding an extra layer of input validations"
}
],
"source": {
"advisory": "ILVN-2021-0005",
"defect": [
"ILVN-2021-0005"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-36720",
"datePublished": "2021-12-08T19:24:46.000Z",
"dateReserved": "2021-07-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:01:58.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}