CWE-610
Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
CVE-2015-10142 (GCVE-0-2015-10142)
Vulnerability from cvelistv5
Published
2025-07-25 15:55
Modified
2025-07-25 17:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Sitecore | Experience Platform (XP) |
Version: * < 8.0 Initial Release (rev. 141212) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-10142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-25T17:59:28.214075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T17:59:33.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Experience Platform (XP)",
"vendor": "Sitecore",
"versions": [
{
"lessThan": "8.0 Initial Release (rev. 141212)",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Content Management System (CMS)",
"vendor": "Sitecore",
"versions": [
{
"lessThan": "7.2 Update-3 (rev. 141226)",
"status": "affected",
"version": "*",
"versionType": "custom"
},
{
"lessThan": "7.5 Update-1 (rev. 150130)",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sitecore"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to\u0026nbsp;7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL.\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eAffected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to\u00a07.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL.\u00a0Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T15:55:07.308Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB0816762"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002377"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sitecore-xp-cms-file-read-via-known-path"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Sitecore XP \u003c 8.0 and CMS \u003c 7.2 and \u003c 7.5 File Read via Known Path",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2015-10142",
"datePublished": "2025-07-25T15:55:07.308Z",
"dateReserved": "2025-07-24T13:58:09.937Z",
"dateUpdated": "2025-07-25T17:59:33.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16088 (GCVE-0-2017-16088)
Vulnerability from cvelistv5
Published
2018-06-07 02:00
Modified
2024-09-16 16:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere ()
Summary
The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | safe-eval node module |
Version: All versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:07.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/patriksimek/vm2/issues/59"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hacksparrow/safe-eval/issues/5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/337"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "safe-eval node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "Externally Controlled Reference to a Resource in Another Sphere (CWE-610)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T01:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patriksimek/vm2/issues/59"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hacksparrow/safe-eval/issues/5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/337"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16088",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "safe-eval node module",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Externally Controlled Reference to a Resource in Another Sphere (CWE-610)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/patriksimek/vm2/issues/59",
"refsource": "MISC",
"url": "https://github.com/patriksimek/vm2/issues/59"
},
{
"name": "https://github.com/hacksparrow/safe-eval/issues/5",
"refsource": "MISC",
"url": "https://github.com/hacksparrow/safe-eval/issues/5"
},
{
"name": "https://nodesecurity.io/advisories/337",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/337"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16088",
"datePublished": "2018-06-07T02:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T16:13:38.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12475 (GCVE-0-2018-12475)
Vulnerability from cvelistv5
Published
2020-09-01 11:55
Modified
2024-09-17 00:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks and potentially downloading data that is exposed there. This issue affects: openSUSE Open Build Service .
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openSUSE | Open Build Service |
Version: obs-service-download_files < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:38:06.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1107821"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Open Build Service",
"vendor": "openSUSE",
"versions": [
{
"lessThanOrEqual": "0.6.2",
"status": "affected",
"version": "obs-service-download_files",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Matthias Gerstner of SUSE"
}
],
"datePublic": "2020-05-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks and potentially downloading data that is exposed there. This issue affects: openSUSE Open Build Service ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T16:15:48",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1107821"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1107821",
"defect": [
"1107821"
],
"discovery": "INTERNAL"
},
"title": "obs-service-download_files allows downloading from localhost or intranet hosts",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@microfocus.com",
"DATE_PUBLIC": "2020-05-11T00:00:00.000Z",
"ID": "CVE-2018-12475",
"STATE": "PUBLIC",
"TITLE": "obs-service-download_files allows downloading from localhost or intranet hosts"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Open Build Service",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "obs-service-download_files",
"version_value": "0.6.2"
}
]
}
}
]
},
"vendor_name": "openSUSE"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Matthias Gerstner of SUSE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks and potentially downloading data that is exposed there. This issue affects: openSUSE Open Build Service ."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1107821",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1107821"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1107821",
"defect": [
"1107821"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2018-12475",
"datePublished": "2020-09-01T11:55:11.943373Z",
"dateReserved": "2018-06-15T00:00:00",
"dateUpdated": "2024-09-17T00:36:57.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7824 (GCVE-0-2018-7824)
Vulnerability from cvelistv5
Published
2019-05-22 19:27
Modified
2024-08-05 06:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource ()
Summary
An Externally Controlled Reference to a Resource (CWE-610) vulnerability exists in Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior) which could allow write access to system files available only to users with SYSTEM privilege or other important user files.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schneider | Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior) |
Version: Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior Version: For 32-bit Windows OS:V2.17 IE 27 and prior Version: and as part of the Driver Suite version:V14.12 and prior) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:37:59.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-099-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior)",
"vendor": "Schneider",
"versions": [
{
"status": "affected",
"version": "Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior"
},
{
"status": "affected",
"version": "For 32-bit Windows OS:V2.17 IE 27 and prior"
},
{
"status": "affected",
"version": "and as part of the Driver Suite version:V14.12 and prior)"
}
]
}
],
"datePublic": "2019-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Externally Controlled Reference to a Resource (CWE-610) vulnerability exists in Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior) which could allow write access to system files available only to users with SYSTEM privilege or other important user files."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "Externally Controlled Reference to a Resource (CWE-610)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T19:27:44",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-099-01/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2018-7824",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior)",
"version": {
"version_data": [
{
"version_value": "Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior"
},
{
"version_value": "For 32-bit Windows OS:V2.17 IE 27 and prior"
},
{
"version_value": "and as part of the Driver Suite version:V14.12 and prior)"
}
]
}
}
]
},
"vendor_name": "Schneider"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Externally Controlled Reference to a Resource (CWE-610) vulnerability exists in Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior) which could allow write access to system files available only to users with SYSTEM privilege or other important user files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Externally Controlled Reference to a Resource (CWE-610)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.schneider-electric.com/en/download/document/SEVD-2019-099-01/",
"refsource": "CONFIRM",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-099-01/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2018-7824",
"datePublished": "2019-05-22T19:27:44",
"dateReserved": "2018-03-08T00:00:00",
"dateUpdated": "2024-08-05T06:37:59.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8226 (GCVE-0-2020-8226)
Vulnerability from cvelistv5
Published
2020-08-17 15:37
Modified
2024-08-04 09:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere ()
Summary
A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | https://github.com/phpbb/phpbb |
Version: 3.2.10 and 3.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562631"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562636"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/phpbb/phpbb",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.2.10 and 3.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in phpBB \u003cv3.2.10 and \u003cv3.3.1 which allowed remote image dimensions check to be used to SSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "Externally Controlled Reference to a Resource in Another Sphere (CWE-610)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-17T15:37:51",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562631"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562636"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/phpbb/phpbb",
"version": {
"version_data": [
{
"version_value": "3.2.10 and 3.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability exists in phpBB \u003cv3.2.10 and \u003cv3.3.1 which allowed remote image dimensions check to be used to SSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Externally Controlled Reference to a Resource in Another Sphere (CWE-610)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562631",
"refsource": "MISC",
"url": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562631"
},
{
"name": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562636",
"refsource": "MISC",
"url": "https://www.phpbb.com/community/viewtopic.php?f=14\u0026t=2562636"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8226",
"datePublished": "2020-08-17T15:37:51",
"dateReserved": "2020-01-28T00:00:00",
"dateUpdated": "2024-08-04T09:56:27.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27648 (GCVE-0-2021-27648)
Vulnerability from cvelistv5
Published
2021-04-28 07:25
Modified
2024-09-16 16:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Antivirus Essential |
Version: unspecified < 1.4.8-2801 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_21_15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Antivirus Essential",
"vendor": "Synology",
"versions": [
{
"lessThan": "1.4.8-2801",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-28T07:25:14",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_21_15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2021-04-28T04:03:57.517952",
"ID": "CVE-2021-27648",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Antivirus Essential",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.4.8-2801"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.0",
"vectorString": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_21_15",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_21_15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2021-27648",
"datePublished": "2021-04-28T07:25:14.326823Z",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-09-16T16:58:04.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3779 (GCVE-0-2021-3779)
Vulnerability from cvelistv5
Published
2022-06-28 16:30
Modified
2024-09-17 00:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user. This issue was resolved in version 2.10.0 and later.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tomita Masahiro | ruby-mysql |
Version: 2.9.14 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:08.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ruby-mysql",
"vendor": "Tomita Masahiro",
"versions": [
{
"lessThanOrEqual": "2.9.14",
"status": "affected",
"version": "2.9.14",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Hans-Martin M\u00fcnch of MOGWAI LABS GmbH, reported by Rapid7, coordinated by CERT/CC and JPCERT/CC"
}
],
"datePublic": "2022-06-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user. This issue was resolved in version 2.10.0 and later."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-28T16:30:15",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.10.0 or later of ruby-mysql"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Ruby-MySQL Gem Client File Read",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-28T15:00:00.000Z",
"ID": "CVE-2021-3779",
"STATE": "PUBLIC",
"TITLE": "Ruby-MySQL Gem Client File Read"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ruby-mysql",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.9.14",
"version_value": "2.9.14"
}
]
}
}
]
},
"vendor_name": "Tomita Masahiro"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Hans-Martin M\u00fcnch of MOGWAI LABS GmbH, reported by Rapid7, coordinated by CERT/CC and JPCERT/CC"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user. This issue was resolved in version 2.10.0 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/",
"refsource": "MISC",
"url": "https://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.10.0 or later of ruby-mysql"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-3779",
"datePublished": "2022-06-28T16:30:15.611030Z",
"dateReserved": "2021-09-07T00:00:00",
"dateUpdated": "2024-09-17T00:16:17.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41244 (GCVE-0-2021-41244)
Vulnerability from cvelistv5
Published
2021-11-15 20:05
Modified
2024-08-04 03:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
},
{
"name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u2019 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-23T12:07:05",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
},
{
"name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
}
],
"source": {
"advisory": "GHSA-mpwp-42x6-4wmx",
"discovery": "UNKNOWN"
},
"title": "Cross organization admin control in Grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41244",
"STATE": "PUBLIC",
"TITLE": "Cross organization admin control in Grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 8.2.4"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u2019 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx"
},
{
"name": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/",
"refsource": "MISC",
"url": "https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"
},
{
"name": "[oss-security] 20211115 Grafana 8.2.4 released with security fixes",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/15/1"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211223-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211223-0001/"
}
]
},
"source": {
"advisory": "GHSA-mpwp-42x6-4wmx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41244",
"datePublished": "2021-11-15T20:05:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T03:08:31.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43794 (GCVE-0-2021-43794)
Vulnerability from cvelistv5
Published
2021-12-01 19:40
Modified
2024-08-04 04:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/commit/2da0001965c6d8632d723c46ea5df9f22a1a23f1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-249g-pc77-65hp"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "stable \u003c 2.7.11"
},
{
"status": "affected",
"version": "beta \u003c 2.8.0.beta9"
},
{
"status": "affected",
"version": "tests-passed \u003c 2.8.0.beta9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-01T19:40:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/2da0001965c6d8632d723c46ea5df9f22a1a23f1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-249g-pc77-65hp"
}
],
"source": {
"advisory": "GHSA-249g-pc77-65hp",
"discovery": "UNKNOWN"
},
"title": "Anonymous user cache poisoning via development-mode header in Discourse",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43794",
"STATE": "PUBLIC",
"TITLE": "Anonymous user cache poisoning via development-mode header in Discourse"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "discourse",
"version": {
"version_data": [
{
"version_value": "stable \u003c 2.7.11"
},
{
"version_value": "beta \u003c 2.8.0.beta9"
},
{
"version_value": "tests-passed \u003c 2.8.0.beta9"
}
]
}
}
]
},
"vendor_name": "discourse"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/discourse/discourse/commit/2da0001965c6d8632d723c46ea5df9f22a1a23f1",
"refsource": "MISC",
"url": "https://github.com/discourse/discourse/commit/2da0001965c6d8632d723c46ea5df9f22a1a23f1"
},
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-249g-pc77-65hp",
"refsource": "CONFIRM",
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-249g-pc77-65hp"
}
]
},
"source": {
"advisory": "GHSA-249g-pc77-65hp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43794",
"datePublished": "2021-12-01T19:40:10",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43844 (GCVE-0-2021-43844)
Vulnerability from cvelistv5
Published
2021-12-20 21:20
Modified
2024-08-04 04:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rcmaehl | MSEdgeRedirect |
Version: < 0.5.0.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:16.980Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MSEdgeRedirect",
"vendor": "rcmaehl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user\u0027s default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-20T21:20:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"
}
],
"source": {
"advisory": "GHSA-95v4-748v-fmf9",
"discovery": "UNKNOWN"
},
"title": "Externally Controlled Reference to a Resource in Another Sphere in MSEdgeRedirect",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43844",
"STATE": "PUBLIC",
"TITLE": "Externally Controlled Reference to a Resource in Another Sphere in MSEdgeRedirect"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MSEdgeRedirect",
"version": {
"version_data": [
{
"version_value": "\u003c 0.5.0.1"
}
]
}
}
]
},
"vendor_name": "rcmaehl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user\u0027s default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9",
"refsource": "CONFIRM",
"url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"
},
{
"name": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1",
"refsource": "MISC",
"url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"
}
]
},
"source": {
"advisory": "GHSA-95v4-748v-fmf9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43844",
"datePublished": "2021-12-20T21:20:11",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:10:16.980Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-219: XML Routing Detour Attacks
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.