Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9 vulnerabilities by CERT/CC
CVE-2026-8142 (GCVE-0-2026-8142)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:54 – Updated: 2026-06-05 16:26
VLAI
Title
CVE-2026-8142
Summary
VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T13:54:55.991111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:55:16.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThanOrEqual": "3.0.38",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to Guillem Lefait guillem@datamq.com for reporting the issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T16:26:58.167Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vince"
},
{
"url": "https://github.com/CERTCC/VINCE"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2026-8142",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8142"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8142",
"datePublished": "2026-05-07T19:54:49.275Z",
"dateReserved": "2026-05-07T19:50:29.029Z",
"dateUpdated": "2026-06-05T16:26:58.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35467 (GCVE-0-2026-35467)
Vulnerability from cvelistv5 – Published: 2026-04-02 20:27 – Updated: 2026-04-03 13:51
VLAI
Title
Private Key stored as extractable in browser IndexeDB
Summary
The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CERT/CC | cveClient/encrypt-storage.js |
Affected:
0 , < 1.1.15
(server)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T13:50:34.898716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:51:22.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cveClient/encrypt-storage.js",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.1.15",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerry Gamblin (https://github.com/jgamblin)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T20:27:27.792Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "Github PR to fix the issue",
"url": "https://github.com/CERTCC/cveClient/pull/39"
},
{
"name": "Github Repository of the project.",
"url": "https://github.com/CERTCC/cveClient/"
}
],
"title": "Private Key stored as extractable in browser IndexeDB",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-35467",
"datePublished": "2026-04-02T20:27:27.792Z",
"dateReserved": "2026-04-02T20:09:50.057Z",
"dateUpdated": "2026-04-03T13:51:22.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35466 (GCVE-0-2026-35466)
Vulnerability from cvelistv5 – Published: 2026-04-02 20:20 – Updated: 2026-04-03 13:55
VLAI
Title
Stored XSS via unsanitized input from remote service
Summary
XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CERT/CC | cveClient/cveInterface.js |
Affected:
0 , < 1.0.24
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T13:54:50.933767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:55:40.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cveClient/cveInterface.js",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.0.24",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerry Gamblin (https://github.com/jgamblin)"
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T20:30:00.719Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "Patch PR",
"url": "https://github.com/CERTCC/cveClient/pull/37"
},
{
"name": "GitHub Repository",
"url": "https://github.com/CERTCC/cveClient"
}
],
"title": "Stored XSS via unsanitized input from remote service",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-35466",
"datePublished": "2026-04-02T20:20:35.304Z",
"dateReserved": "2026-04-02T20:09:50.057Z",
"dateUpdated": "2026-04-03T13:55:40.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10469 (GCVE-0-2024-10469)
Vulnerability from cvelistv5 – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
VLAI
Title
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/CERTCC/VINCE/ |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T20:33:48.131122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:23:01.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issues was reported by an internal user of VINCE"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T22:10:00.825Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VINCE Project open source repository",
"url": "https://github.com/CERTCC/VINCE/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-10469",
"datePublished": "2024-10-28T15:38:29.062Z",
"dateReserved": "2024-10-28T15:20:34.868Z",
"dateUpdated": "2025-08-25T22:10:00.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9953 (GCVE-0-2024-9953)
Vulnerability from cvelistv5 – Published: 2024-10-14 21:19 – Updated: 2025-03-20 18:58
VLAI
Title
Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8
Summary
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CERT/CC | VINCE - Vulnerability Information and Coordination Environment |
Affected:
* , < 3.0.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-9953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:41:05.626356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:58:47.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE - Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process."
}
],
"descriptions": [
{
"lang": "en",
"value": "A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user\u2019s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:14:26.539Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERT/CC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-9953",
"datePublished": "2024-10-14T21:19:26.517Z",
"dateReserved": "2024-10-14T20:49:18.194Z",
"dateUpdated": "2025-03-20T18:58:47.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40238 (GCVE-0-2022-40238)
Vulnerability from cvelistv5 – Published: 2022-10-26 15:15 – Updated: 2025-05-07 13:31
VLAI
Title
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5
Summary
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:31:11.683062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:31:41.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.5",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC "
}
],
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user\u0027s profile. This can lead to code execution on the server when the user\u0027s profile is accessed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:36:54.112Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40238",
"datePublished": "2022-10-26T15:15:45.247Z",
"dateReserved": "2022-09-08T19:14:18.690Z",
"dateUpdated": "2025-05-07T13:31:41.213Z",
"requesterUserId": "b7e00183-089e-4194-bbe8-4b7d6adf6c7f",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40248 (GCVE-0-2022-40248)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.
Severity
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Date Public
2022-10-10 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the \"Product Affected\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:23.260Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40248",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-09-08T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40257 (GCVE-0-2022-40257)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
Severity
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Date Public
2022-10-10 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:41.256Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40257",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-09-08T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25799 (GCVE-0-2022-25799)
Vulnerability from cvelistv5 – Published: 2022-08-16 22:00 – Updated: 2024-09-17 02:06
VLAI
Title
An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0
Summary
An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.
Severity
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.50.0 , < 1.50.0
(custom)
|
Date Public
2022-10-05 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.0",
"status": "affected",
"version": "1.50.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user\u0027s browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user\u0027s credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0"
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-25799",
"datePublished": "2022-08-16T22:00:15.993Z",
"dateReserved": "2022-02-22T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:51.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}