Vulnerabilites related to opencrx - opencrx
CVE-2023-27151 (GCVE-0-2023-27151)
Vulnerability from cvelistv5
Published
2023-12-25 00:00
Modified
2024-08-23 18:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
openCRX 5.2.0 was discovered to contain an HTML injection vulnerability for Search Criteria-Activity Number (in the Saved Search Activity) via the Name, Description, or Activity Number field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:32.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.opencrx.org/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-27151-html-injection-activity-tracker/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "opencrx",
"vendor": "opencrx",
"versions": [
{
"status": "affected",
"version": "5.2.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27151",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T18:18:18.925859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T18:25:21.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "openCRX 5.2.0 was discovered to contain an HTML injection vulnerability for Search Criteria-Activity Number (in the Saved Search Activity) via the Name, Description, or Activity Number field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-25T19:27:42.497762",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.opencrx.org/"
},
{
"url": "https://www.esecforte.com/cve-2023-27151-html-injection-activity-tracker/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27151",
"datePublished": "2023-12-25T00:00:00",
"dateReserved": "2023-02-27T00:00:00",
"dateUpdated": "2024-08-23T18:25:21.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40816 (GCVE-0-2023-40816)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-28 20:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:10.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40816-html-injection-activity-milestone/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T20:08:32.516520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:08:48.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:09.369454",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40816-html-injection-activity-milestone/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40816",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-28T20:08:48.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40814 (GCVE-0-2023-40814)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-29 13:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40814-html-injection-accounts/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40814",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:45:55.547416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:46:54.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:06.759357",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40814-html-injection-accounts/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40814",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-29T13:46:54.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25959 (GCVE-0-2021-25959)
Vulnerability from cvelistv5
Published
2021-09-29 13:50
Modified
2024-09-16 19:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| org.opencrx | opencrx-core-config |
Version: 4.0.0 < * |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "opencrx-core-config",
"vendor": "org.opencrx",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-29T13:50:15",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.2.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "OpenCRX - Reflected Cross-Site Scripting in Password Reset Functionality",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-09-21T08:52:00.000Z",
"ID": "CVE-2021-25959",
"STATE": "PUBLIC",
"TITLE": "OpenCRX - Reflected Cross-Site Scripting in Password Reset Functionality"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "opencrx-core-config",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "4.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "5.1.0 +1"
}
]
}
}
]
},
"vendor_name": "org.opencrx"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959"
},
{
"name": "https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818",
"refsource": "MISC",
"url": "https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 5.2.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"defect": [],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25959",
"datePublished": "2021-09-29T13:50:15.394433Z",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-09-16T19:24:15.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7378 (GCVE-0-2020-7378)
Vulnerability from cvelistv5
Published
2020-11-24 16:35
Modified
2024-09-16 20:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-620 - Unverified Password Change
Summary
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:49.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenCRX",
"vendor": "CRIXP",
"versions": [
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "4.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0-20200717",
"status": "affected",
"version": "5.0-20200717",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-24T16:35:14",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
},
"title": "CRIXP OpenCRX Unverified Password Change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-11-24T15:00:00.000Z",
"ID": "CVE-2020-7378",
"STATE": "PUBLIC",
"TITLE": "CRIXP OpenCRX Unverified Password Change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenCRX",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.30",
"version_value": "4.30"
},
{
"version_affected": "\u003c=",
"version_name": "5.0-20200717",
"version_value": "5.0-20200717"
}
]
}
}
]
},
"vendor_name": "CRIXP"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-620 Unverified Password Change"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7378",
"datePublished": "2020-11-24T16:35:15.035583Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-16T20:37:06.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40815 (GCVE-0-2023-40815)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-28 20:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:10.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40815-html-injection-category/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40815",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T20:09:27.859885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:10:49.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:11.277691",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40815-html-injection-category/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40815",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-28T20:10:49.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40809 (GCVE-0-2023-40809)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-10 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:10.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40809-html-injection-search/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "opencrx",
"vendor": "opencrx",
"versions": [
{
"status": "affected",
"version": "5.2.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-40809",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-10T15:42:38.839474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-10T15:45:46.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:05.567953",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40809-html-injection-search/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40809",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-10T15:45:46.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40813 (GCVE-0-2023-40813)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-29 13:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40813-html-injection-saved-search/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40813",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:49:41.448839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:50:34.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:03.658872",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40813-html-injection-saved-search/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40813",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-29T13:50:34.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40084 (GCVE-0-2022-40084)
Vulnerability from cvelistv5
Published
2022-10-20 00:00
Modified
2025-05-08 15:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294\u0026text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack."
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40084",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:49:12.469657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T15:49:42.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-20T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294\u0026text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack."
},
{
"url": "https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40084",
"datePublished": "2022-10-20T00:00:00.000Z",
"dateReserved": "2022-09-06T00:00:00.000Z",
"dateUpdated": "2025-05-08T15:49:42.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40817 (GCVE-0-2023-40817)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-14 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40817-html-injection-product-configuration/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40817",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T17:54:44.278818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T18:03:57.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:10.385663",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40817-html-injection-product-configuration/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40817",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-14T18:03:57.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40812 (GCVE-0-2023-40812)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-29 13:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.116Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40812-html-injection-accounts-group/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40812",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:51:51.444696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:52:19.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:07.879380",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40812-html-injection-accounts-group/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40812",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-29T13:52:19.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27150 (GCVE-0-2023-27150)
Vulnerability from cvelistv5
Published
2023-12-26 00:00
Modified
2024-08-27 20:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:32.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.opencrx.org/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-27150-cross-site-scripting-xss/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T20:00:33.138743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:01:19.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-26T03:31:20.500508",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.opencrx.org/"
},
{
"url": "https://www.esecforte.com/cve-2023-27150-cross-site-scripting-xss/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27150",
"datePublished": "2023-12-26T00:00:00",
"dateReserved": "2023-02-27T00:00:00",
"dateUpdated": "2024-08-27T20:01:19.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46502 (GCVE-0-2023-46502)
Vulnerability from cvelistv5
Published
2023-10-30 00:00
Modified
2024-09-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:45:42.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T20:13:34.451599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T20:14:16.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T19:22:14.875433",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"
},
{
"url": "https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46502",
"datePublished": "2023-10-30T00:00:00",
"dateReserved": "2023-10-23T00:00:00",
"dateUpdated": "2024-09-09T20:14:16.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40810 (GCVE-0-2023-40810)
Vulnerability from cvelistv5
Published
2023-11-18 00:00
Modified
2024-08-29 13:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:10.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esecforte.com/cve-2023-40810-html-injection-product-creation/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40810",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:56:18.968258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:56:43.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-18T03:12:08.546363",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.esecforte.com/cve-2023-40810-html-injection-product-creation/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-40810",
"datePublished": "2023-11-18T00:00:00",
"dateReserved": "2023-08-22T00:00:00",
"dateUpdated": "2024-08-29T13:56:43.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40815-html-injection-category/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40815-html-injection-category/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Category Creation Name Field."
}
],
"id": "CVE-2023-40815",
"lastModified": "2024-11-21T08:20:09.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-18T04:15:07.830",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40815-html-injection-category/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40815-html-injection-category/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40817-html-injection-product-configuration/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40817-html-injection-product-configuration/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Product Configuration Name Field."
}
],
"id": "CVE-2023-40817",
"lastModified": "2024-11-21T08:20:10.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-18T04:15:07.920",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40817-html-injection-product-configuration/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40817-html-injection-product-configuration/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40810-html-injection-product-creation/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40810-html-injection-product-creation/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Product Name Field."
}
],
"id": "CVE-2023-40810",
"lastModified": "2024-11-21T08:20:09.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-18T04:15:07.660",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40810-html-injection-product-creation/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40810-html-injection-product-creation/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40813-html-injection-saved-search/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40813-html-injection-saved-search/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Activity Saved Search Creation."
}
],
"id": "CVE-2023-40813",
"lastModified": "2024-11-21T08:20:09.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-18T04:15:07.750",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40813-html-injection-saved-search/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40813-html-injection-saved-search/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40812-html-injection-accounts-group/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40812-html-injection-accounts-group/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Accounts Group Name Field."
}
],
"id": "CVE-2023-40812",
"lastModified": "2024-11-21T08:20:09.517",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-18T04:15:07.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40812-html-injection-accounts-group/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40812-html-injection-accounts-group/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-26 04:15
Modified
2024-11-21 07:52
Severity ?
Summary
openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-27150-cross-site-scripting-xss/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.opencrx.org/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-27150-cross-site-scripting-xss/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.opencrx.org/ | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que openCRX 5.2.0 contiene una vulnerabilidad de cross-site scripting (XSS) a trav\u00e9s del campo Name despu\u00e9s de la creaci\u00f3n de un Tracker en Manage Activity."
}
],
"id": "CVE-2023-27150",
"lastModified": "2024-11-21T07:52:23.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-26T04:15:07.713",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-27150-cross-site-scripting-xss/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.opencrx.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-27150-cross-site-scripting-xss/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.opencrx.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-29 14:15
Modified
2024-11-21 05:55
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| vulnerabilitylab@mend.io | https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818 | Patch, Tool Signature | |
| vulnerabilitylab@mend.io | https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959 | Tool Signature | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818 | Patch, Tool Signature | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959 | Tool Signature |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6CC05D23-E68A-45A9-93B6-8048254723C0",
"versionEndIncluding": "5.1.0",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance."
},
{
"lang": "es",
"value": "En OpenCRX, versiones v4.0.0 hasta v5.1.0, son vulnerables a un ataque de tipo Cross-site Scripting (XSS) reflejado, debido a par\u00e1metros no saneados en la funcionalidad password reset. Esto permite una ejecuci\u00f3n de archivos javascript externos en cualquier usuario de la instancia de openCRX"
}
],
"id": "CVE-2021-25959",
"lastModified": "2024-11-21T05:55:40.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-29T14:15:07.620",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Tool Signature"
],
"url": "https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Tool Signature"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Tool Signature"
],
"url": "https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-20 14:15
Modified
2025-05-08 16:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294&text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack. | ||
| cve@mitre.org | https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294&text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack. | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB4CE51-E404-48BA-8C8C-E1E0D8588D6D",
"versionEndIncluding": "5.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid."
},
{
"lang": "es",
"value": "Se ha detectado que OpenCRX versiones anteriores a v5.2.2, es vulnerable a una enumeraci\u00f3n de contrase\u00f1as debido a la diferencia en los mensajes de error recibidos durante el restablecimiento de la contrase\u00f1a, lo que podr\u00eda permitir a un atacante determinar si un nombre de usuario, correo electr\u00f3nico o ID es v\u00e1lido"
}
],
"id": "CVE-2022-40084",
"lastModified": "2025-05-08T16:15:21.743",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-20T14:15:09.897",
"references": [
{
"source": "cve@mitre.org",
"url": "https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294\u0026text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack."
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294\u0026text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack."
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40814-html-injection-accounts/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40814-html-injection-accounts/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Accounts Name Field."
}
],
"id": "CVE-2023-40814",
"lastModified": "2024-11-21T08:20:09.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-18T04:15:07.790",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40814-html-injection-accounts/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40814-html-injection-accounts/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 01:38
Modified
2025-05-08 22:50
Severity ?
Summary
openCRX 5.2.0 was discovered to contain an HTML injection vulnerability for Search Criteria-Activity Number (in the Saved Search Activity) via the Name, Description, or Activity Number field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-27151-html-injection-activity-tracker/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.opencrx.org/ | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-27151-html-injection-activity-tracker/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.opencrx.org/ | Release Notes |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "openCRX 5.2.0 was discovered to contain an HTML injection vulnerability for Search Criteria-Activity Number (in the Saved Search Activity) via the Name, Description, or Activity Number field."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que openCRX 5.2.0 contiene una vulnerabilidad de inyecci\u00f3n de HTML para Criterios de b\u00fasqueda-N\u00famero de actividad (en la Actividad de b\u00fasqueda guardada) a trav\u00e9s del campo Nombre, Descripci\u00f3n o N\u00famero de actividad."
}
],
"id": "CVE-2023-27151",
"lastModified": "2025-05-08T22:50:36.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-29T01:38:30.693",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-27151-html-injection-activity-tracker/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.opencrx.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-27151-html-injection-activity-tracker/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.opencrx.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-30 23:15
Modified
2024-11-21 08:28
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e | Third Party Advisory | |
| cve@mitre.org | https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399 | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "48588E81-A740-476B-9177-A08EF2430A28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory."
},
{
"lang": "es",
"value": "Un problema en openCRX v.5.2.2 permite a un atacante remoto leer archivos internos y ejecutar un ataque de server side request forgery a trav\u00e9s de DocumentBuilderFactory inseguro."
}
],
"id": "CVE-2023-46502",
"lastModified": "2024-11-21T08:28:37.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-10-30T23:15:08.857",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40816-html-injection-activity-milestone/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40816-html-injection-activity-milestone/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Activity Milestone Name Field."
}
],
"id": "CVE-2023-40816",
"lastModified": "2024-11-21T08:20:10.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-18T04:15:07.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40816-html-injection-activity-milestone/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40816-html-injection-activity-milestone/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-24 17:15
Modified
2024-11-21 05:37
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@rapid7.com | https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/ | Exploit, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8282601F-778E-4BCE-A249-9AF5632CB571",
"versionEndIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.0:20200714:*:*:*:*:*:*",
"matchCriteriaId": "A0F57F4C-1DDA-4975-83BF-FCE95EF8391F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.0:20200715:*:*:*:*:*:*",
"matchCriteriaId": "A1404512-2851-4B11-82A4-6F6027E71E4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.0:20200717:*:*:*:*:*:*",
"matchCriteriaId": "372C678B-244F-498E-8E1B-FA49BC94B521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B0DFA3FE-F0A3-4674-9E2D-8049CBDE3CB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
},
{
"lang": "es",
"value": "CRIXP OpenCRX versiones 4.30 y 5.0-20200717 y anteriores sufre de una vulnerabilidad de cambio de contrase\u00f1a no verificada.\u0026#xa0;Un atacante que es capaz de conectarse a la instancia de OpenCRX afectada puede cambiar la contrase\u00f1a de cualquier usuario, incluyendo admin-Standard, para cualquier valor elegido.\u0026#xa0;Este problema se resolvi\u00f3 en la versi\u00f3n 5.0-20200904, publicada el 4 de septiembre de 2020"
}
],
"id": "CVE-2020-7378",
"lastModified": "2024-11-21T05:37:08.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-24T17:15:11.270",
"references": [
{
"source": "cve@rapid7.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"sourceIdentifier": "cve@rapid7.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-620"
}
],
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-18 04:15
Modified
2024-11-21 08:20
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.esecforte.com/cve-2023-40809-html-injection-search/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esecforte.com/cve-2023-40809-html-injection-search/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opencrx:opencrx:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA22A2E9-7F02-4B5D-A74D-D2F8C997BF75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number."
},
{
"lang": "es",
"value": "OpenCRX versi\u00f3n 5.2.0 es vulnerable a la inyecci\u00f3n de HTML a trav\u00e9s de Activity Search Criteria-Activity Number. "
}
],
"id": "CVE-2023-40809",
"lastModified": "2024-11-21T08:20:09.107",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-11-18T04:15:07.610",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40809-html-injection-search/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cve-2023-40809-html-injection-search/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}