cvelistv5 - cve-2019-5925

CVE-2019-5925 (GCVE-0-2019-5925)

Vulnerability from cvelistv5 – Published: 2019-03-12 21:00 – Updated: 2024-08-04 20:09

Summary

Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Severity ?

No CVSS data available.

CWE

Cross-site scripting

Assigner

jpcert

References

URL

Tags

	http://jvn.jp/en/jp/JVN40288903/index.html	third-party-advisoryx_refsource_JVN
	https://dradisframework.com/ce/security_reports.h…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Security Roots Ltd	Dradis Community Edition and Dradis Professional Edition	Affected: Dradis Community Edition v3.11 and earlier, Dradis Professional Edition v3.1.1 and earlier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:09:23.796Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "JVN#40288903",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Dradis Community Edition and Dradis Professional Edition",
          "vendor": "Security Roots Ltd",
          "versions": [
            {
              "status": "affected",
              "version": "Dradis Community Edition v3.11 and earlier, Dradis Professional Edition v3.1.1 and earlier"
            }
          ]
        }
      ],
      "datePublic": "2019-03-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-12T20:57:01",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "name": "JVN#40288903",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2019-5925",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Dradis Community Edition and Dradis Professional Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Dradis Community Edition v3.11 and earlier, Dradis Professional Edition v3.1.1 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Security Roots Ltd"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "JVN#40288903",
              "refsource": "JVN",
              "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
            },
            {
              "name": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1",
              "refsource": "MISC",
              "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2019-5925",
    "datePublished": "2019-03-12T21:00:00",
    "dateReserved": "2019-01-10T00:00:00",
    "dateUpdated": "2024-08-04T20:09:23.796Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dradisframework:dradis:*:*:*:*:professional:*:*:*\", \"versionEndIncluding\": \"3.1.1\", \"matchCriteriaId\": \"93438ADC-BFC4-4D17-A072-BB4A70090497\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dradisframework:dradis:*:*:*:*:community:*:*:*\", \"versionEndIncluding\": \"3.11\", \"matchCriteriaId\": \"A7656A5D-2E64-4A78-9332-8C88B778E79B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de Cross-Site Scripting (XSS) en Dradis Community Edition, en versiones v3.11 y anteriores, y en Dradis Professional Edition, en versiones v3.1.1 y anteriores, permite a los atacantes autenticados inyectar scripts web o HTML arbitrarios mediante vectores sin especificar.\"}]",
      "id": "CVE-2019-5925",
      "lastModified": "2024-11-21T04:45:45.453",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-03-12T22:29:01.270",
      "references": "[{\"url\": \"http://jvn.jp/en/jp/JVN40288903/index.html\", \"source\": \"vultures@jpcert.or.jp\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://dradisframework.com/ce/security_reports.html#fixed-3.11.1\", \"source\": \"vultures@jpcert.or.jp\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://jvn.jp/en/jp/JVN40288903/index.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://dradisframework.com/ce/security_reports.html#fixed-3.11.1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "vultures@jpcert.or.jp",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-5925\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2019-03-12T22:29:01.270\",\"lastModified\":\"2024-11-21T04:45:45.453\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de Cross-Site Scripting (XSS) en Dradis Community Edition, en versiones v3.11 y anteriores, y en Dradis Professional Edition, en versiones v3.1.1 y anteriores, permite a los atacantes autenticados inyectar scripts web o HTML arbitrarios mediante vectores sin especificar.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dradisframework:dradis:*:*:*:*:professional:*:*:*\",\"versionEndIncluding\":\"3.1.1\",\"matchCriteriaId\":\"93438ADC-BFC4-4D17-A072-BB4A70090497\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dradisframework:dradis:*:*:*:*:community:*:*:*\",\"versionEndIncluding\":\"3.11\",\"matchCriteriaId\":\"A7656A5D-2E64-4A78-9332-8C88B778E79B\"}]}]}],\"references\":[{\"url\":\"http://jvn.jp/en/jp/JVN40288903/index.html\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://dradisframework.com/ce/security_reports.html#fixed-3.11.1\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://jvn.jp/en/jp/JVN40288903/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://dradisframework.com/ce/security_reports.html#fixed-3.11.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2019-06350

Vulnerability from cnvd - Published: 2019-03-06

Title

Dradis跨站脚本漏洞

Description

Dradis是一套用于信息安全团队的报告和协作工具。 Dradis（社区版）3.11及之前版本中存在跨站脚本漏洞。远程攻击者可利用该漏洞在用户浏览器中执行任意脚本。

Severity

中

Patch Name

Dradis跨站脚本漏洞的补丁

Patch Description

Dradis是一套用于信息安全团队的报告和协作工具。 Dradis（社区版）3.11及之前版本中存在跨站脚本漏洞。远程攻击者可利用该漏洞在用户浏览器中执行任意脚本。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://dradisframework.com/ce/security_reports.html#fixed-3.11.1

Reference

https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000017.html

Impacted products

Name
Dradis Dradis（社区版） <=3.11

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-5925"
    }
  },
  "description": "Dradis\u662f\u4e00\u5957\u7528\u4e8e\u4fe1\u606f\u5b89\u5168\u56e2\u961f\u7684\u62a5\u544a\u548c\u534f\u4f5c\u5de5\u5177\u3002\n\nDradis\uff08\u793e\u533a\u7248\uff093.11\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u3002",
  "discovererName": "unKnow",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://dradisframework.com/ce/security_reports.html#fixed-3.11.1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-06350",
  "openTime": "2019-03-06",
  "patchDescription": "Dradis\u662f\u4e00\u5957\u7528\u4e8e\u4fe1\u606f\u5b89\u5168\u56e2\u961f\u7684\u62a5\u544a\u548c\u534f\u4f5c\u5de5\u5177\u3002\r\n\r\nDradis\uff08\u793e\u533a\u7248\uff093.11\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dradis\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Dradis Dradis\uff08\u793e\u533a\u7248\uff09 \u003c=3.11"
  },
  "referenceLink": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000017.html",
  "serverity": "\u4e2d",
  "submitTime": "2019-03-06",
  "title": "Dradis\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

FKIE_CVE-2019-5925

Vulnerability from fkie_nvd - Published: 2019-03-12 22:29 - Updated: 2024-11-21 04:45

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
vultures@jpcert.or.jp	http://jvn.jp/en/jp/JVN40288903/index.html	Third Party Advisory
vultures@jpcert.or.jp	https://dradisframework.com/ce/security_reports.html#fixed-3.11.1	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://jvn.jp/en/jp/JVN40288903/index.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://dradisframework.com/ce/security_reports.html#fixed-3.11.1	Vendor Advisory

Impacted products

	Vendor	Product	Version
	dradisframework	dradis	*
	dradisframework	dradis	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dradisframework:dradis:*:*:*:*:professional:*:*:*",
              "matchCriteriaId": "93438ADC-BFC4-4D17-A072-BB4A70090497",
              "versionEndIncluding": "3.1.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dradisframework:dradis:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "A7656A5D-2E64-4A78-9332-8C88B778E79B",
              "versionEndIncluding": "3.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en Dradis Community Edition, en versiones v3.11 y anteriores, y en Dradis Professional Edition, en versiones v3.1.1 y anteriores, permite a los atacantes autenticados inyectar scripts web o HTML arbitrarios mediante vectores sin especificar."
    }
  ],
  "id": "CVE-2019-5925",
  "lastModified": "2024-11-21T04:45:45.453",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-03-12T22:29:01.270",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2019-5925

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-5925

Aliases

CVE-2019-5925

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-5925",
    "description": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.",
    "id": "GSD-2019-5925"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-5925"
      ],
      "details": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.",
      "id": "GSD-2019-5925",
      "modified": "2023-12-13T01:23:55.307555Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2019-5925",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Dradis Community Edition and Dradis Professional Edition",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Dradis Community Edition v3.11 and earlier, Dradis Professional Edition v3.1.1 and earlier"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Security Roots Ltd"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site scripting"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "JVN#40288903",
            "refsource": "JVN",
            "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
          },
          {
            "name": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1",
            "refsource": "MISC",
            "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:dradisframework:dradis:*:*:*:*:professional:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.1.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dradisframework:dradis:*:*:*:*:community:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.11",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2019-5925"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
            },
            {
              "name": "JVN#40288903",
              "refsource": "JVN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2019-03-13T14:06Z",
      "publishedDate": "2019-03-12T22:29Z"
    }
  }
}

JVNDB-2019-000017

Vulnerability from jvndb - Published: 2019-03-05 14:18 - Updated:2019-09-27 09:54

Severity ?

5.4 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

Dradis Community Edition and Dradis Professional Edition vulnerable to cross-site scripting

Details

Dradis Community Edition and Dradis Professional Edition provided by Security Roots Ltd contain a cross-site scripting vulnerability (CWE-79). Ohji Kashiwazaki of Ierae Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN40288903/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5925
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-5925
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

Security Roots Ltd

Dradis

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000017.html",
  "dc:date": "2019-09-27T09:54+09:00",
  "dcterms:issued": "2019-03-05T14:18+09:00",
  "dcterms:modified": "2019-09-27T09:54+09:00",
  "description": "Dradis Community Edition and Dradis Professional Edition provided by Security Roots Ltd contain a cross-site scripting vulnerability (CWE-79).\r\n\r\nOhji Kashiwazaki of Ierae Security, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000017.html",
  "sec:cpe": {
    "#text": "cpe:/a:dradisframework:dradis",
    "@product": "Dradis",
    "@vendor": "Security Roots Ltd",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "4.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "5.4",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2019-000017",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN40288903/index.html",
      "@id": "JVN#40288903",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5925",
      "@id": "CVE-2019-5925",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5925",
      "@id": "CVE-2019-5925",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "Dradis Community Edition and Dradis Professional Edition vulnerable to cross-site scripting"
}

GHSA-Q2FV-JR47-V347

Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22

Details

Severity ?

5.4 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-5925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-12T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.",
  "id": "GHSA-q2fv-jr47-v347",
  "modified": "2022-05-14T01:22:01Z",
  "published": "2022-05-14T01:22:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5925"
    },
    {
      "type": "WEB",
      "url": "https://dradisframework.com/ce/security_reports.html#fixed-3.11.1"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN40288903/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-5925 (GCVE-0-2019-5925)

CNVD-2019-06350

FKIE_CVE-2019-5925

GSD-2019-5925

JVNDB-2019-000017

GHSA-Q2FV-JR47-V347

Tags

Sightings

Nomenclature