From 35d4e8c9a3884a0fef503c134ef706aa10a16dbf Mon Sep 17 00:00:00 2001 From: ghost Date: Wed, 17 Dec 2025 14:58:14 +0000 Subject: [PATCH] =?UTF-8?q?chore:=20generate=20CVEs=20metadata=20?= =?UTF-8?q?=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves.json | 2 ++ cves.json-checksum.txt | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cves.json b/cves.json index 7e9528b70d4..679a84976fe 100644 --- a/cves.json +++ b/cves.json @@ -1542,6 +1542,7 @@ {"ID":"CVE-2021-34640","Info":{"Name":"WordPress Securimage-WP-Fixed \u003c=3.5.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Securimage-WP-Fixed plugin 3.5.4 and prior contains a cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file, which allows attackers to inject arbitrary web scripts.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-34640.yaml"} {"ID":"CVE-2021-34643","Info":{"Name":"WordPress Skaut Bazar \u003c1.3.3 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Skaut Bazar plugin before 1.3.3 contains a reflected cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file, which allows attackers to inject arbitrary web scripts.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-34643.yaml"} {"ID":"CVE-2021-34805","Info":{"Name":"FAUST iServer 9.0.018.018.4 - Local File Inclusion","Severity":"high","Description":"FAUST iServer before 9.0.019.019.7 is susceptible to local file inclusion because for each URL request it accesses the corresponding .fau file on the operating system without preventing %2e%2e%5c directory traversal.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-34805.yaml"} +{"ID":"CVE-2021-35042","Info":{"Name":"Django QuerySet.order_by - SQL Injection","Severity":"critical","Description":"Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.order_by, letting attackers execute arbitrary SQL commands, exploit requires attacker to control order_by input.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-35042.yaml"} {"ID":"CVE-2021-35064","Info":{"Name":"Kramer VIAware - Privilege Escalation and Remote Code Execution","Severity":"critical","Description":"Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through ajaxPages/writeBrowseFilePathAjax.php and improper sudoers configurations.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-35064.yaml"} {"ID":"CVE-2021-35250","Info":{"Name":"SolarWinds Serv-U 15.3 - Directory Traversal","Severity":"high","Description":"SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2021/CVE-2021-35250.yaml"} {"ID":"CVE-2021-35265","Info":{"Name":"MaxSite CMS \u003e V106 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting vulnerability in MaxSite CMS before V106 via product/page/* allows remote attackers to inject arbitrary web script to a page.\"\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-35265.yaml"} @@ -2585,6 +2586,7 @@ {"ID":"CVE-2023-38875","Info":{"Name":"PHP Login System 2.0.1 - Cross-Site Scripting","Severity":"medium","Description":"msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-38875.yaml"} {"ID":"CVE-2023-38879","Info":{"Name":"openSIS v9.0 - Path Traversal","Severity":"high","Description":"A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38879.yaml"} {"ID":"CVE-2023-38950","Info":{"Name":"ZKTeco BioTime v8.5.5 - Path Traversal","Severity":"high","Description":"A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38950.yaml"} +{"ID":"CVE-2023-38952","Info":{"Name":"ZKTeco BioTime \u003c= 9.0.1 - Privilege Escalation","Severity":"high","Description":"BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.\n","Classification":{"CVSSScore":"7.3"}},"file_path":"http/cves/2023/CVE-2023-38952.yaml"} {"ID":"CVE-2023-38964","Info":{"Name":"Academy LMS 6.0 - Cross-Site Scripting","Severity":"medium","Description":"Creative Item Academy LMS 6.0 was discovered to contain a cross-site scripting (XSS) vulnerability through `query` parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-38964.yaml"} {"ID":"CVE-2023-38992","Info":{"Name":"Jeecg-Boot v3.5.1 - SQL Injection","Severity":"critical","Description":"SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData in jeecg-boot v3.5.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-38992.yaml"} {"ID":"CVE-2023-39002","Info":{"Name":"OPNsense - Cross-Site Scripting","Severity":"medium","Description":"A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense before 23.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-39002.yaml"} diff --git a/cves.json-checksum.txt b/cves.json-checksum.txt index 09cde042102..2bcadb7686e 100644 --- a/cves.json-checksum.txt +++ b/cves.json-checksum.txt @@ -1 +1 @@ -2b2a5c1c61451fd42c67c7813fce7595 +a1e80f645cd8f58b9a365a7bc1dfe38c