Vulnerabilites related to orchid - platform
CVE-2020-15263 (GCVE-0-2020-15263)
Vulnerability from cvelistv5
Published
2020-10-19 20:35
Modified
2024-08-04 13:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - {"":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Summary
In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x | x_refsource_CONFIRM | |
| https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orchidsoftware | platform |
Version: >= 9.0.0, < 9.4.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "platform",
"vendor": "orchidsoftware",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-19T20:35:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169"
}
],
"source": {
"advisory": "GHSA-589w-hccm-265x",
"discovery": "UNKNOWN"
},
"title": "XSS in platform",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15263",
"STATE": "PUBLIC",
"TITLE": "XSS in platform"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "platform",
"version": {
"version_data": [
{
"version_value": "\u003e= 9.0.0, \u003c 9.4.4"
}
]
}
}
]
},
"vendor_name": "orchidsoftware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x",
"refsource": "CONFIRM",
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x"
},
{
"name": "https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169",
"refsource": "MISC",
"url": "https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169"
}
]
},
"source": {
"advisory": "GHSA-589w-hccm-265x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15263",
"datePublished": "2020-10-19T20:35:17",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:15:20.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36825 (GCVE-0-2023-36825)
Vulnerability from cvelistv5
Published
2023-07-11 17:49
Modified
2024-10-23 15:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p | x_refsource_CONFIRM | |
| https://github.com/orchidsoftware/platform/releases/tag/14.5.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orchidsoftware | platform |
Version: >= 14.0.0-alpha4, < 14.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p"
},
{
"name": "https://github.com/orchidsoftware/platform/releases/tag/14.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/orchidsoftware/platform/releases/tag/14.5.0"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:orchid:platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "platform",
"vendor": "orchid",
"versions": [
{
"lessThan": "14.5.0",
"status": "affected",
"version": "14.0.0-alpha4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:24:26.162195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:26:15.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "platform",
"vendor": "orchidsoftware",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.0.0-alpha4, \u003c 14.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T12:59:46.443Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p"
},
{
"name": "https://github.com/orchidsoftware/platform/releases/tag/14.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orchidsoftware/platform/releases/tag/14.5.0"
}
],
"source": {
"advisory": "GHSA-ph6g-p72v-pc3p",
"discovery": "UNKNOWN"
},
"title": "Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36825",
"datePublished": "2023-07-11T17:49:23.557Z",
"dateReserved": "2023-06-27T15:43:18.387Z",
"dateUpdated": "2024-10-23T15:26:15.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-10-19 21:15
Modified
2024-11-21 05:05
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:orchid:platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "446A0075-B2FE-4686-BF3E-E8B843BACD19",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4."
},
{
"lang": "es",
"value": "En platform versiones anteriores a 9.4.4, los atributos en l\u00ednea no son escapados apropiadamente.\u0026#xa0;Si los datos que provienen de los usuarios no se escaparon, entonces es posible una vulnerabilidad de tipo XSS.\u0026#xa0;El problema fue introducido en la versi\u00f3n 9.0.0 y corregido en la versi\u00f3n 9.4.4"
}
],
"id": "CVE-2020-15263",
"lastModified": "2024-11-21T05:05:13.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-19T21:15:12.983",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-11 18:15
Modified
2024-11-21 08:10
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:orchid:platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF882026-A429-4924-B84E-29DD6A1F9990",
"versionEndExcluding": "14.5.0",
"versionStartIncluding": "14.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:orchid:platform:14.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "BC8FD5E1-EFAA-4123-A0A3-9EE96719643B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:orchid:platform:14.0.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "2D9AF0E5-E01D-4032-AF71-6FC428232D26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:orchid:platform:14.0.0:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "1B2F7B9C-98DC-43A5-8CFF-916CAEB67284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:orchid:platform:14.0.0:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "36C441C1-F1B6-46F7-96B8-F5BB222BCDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:orchid:platform:14.0.0:alpha7:*:*:*:*:*:*",
"matchCriteriaId": "BDF364F5-A581-481C-9A21-F0FF2ABE6726",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds."
}
],
"id": "CVE-2023-36825",
"lastModified": "2024-11-21T08:10:40.817",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-11T18:15:20.417",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/orchidsoftware/platform/releases/tag/14.5.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/orchidsoftware/platform/releases/tag/14.5.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}