Refine your search
3 vulnerabilities found for by circl
CVE-2025-42620 (GCVE-0-2025-42620)
Vulnerability from cvelistv5
Published
2025-12-08 12:15
Modified
2025-12-08 12:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
In affected versions, vulnerability-lookup handled user-controlled
content in comments and bundles in an unsafe way, which could lead to
stored Cross-Site Scripting (XSS).
On the backend, the related_vulnerabilities field of bundles accepted
arbitrary strings without format validation or proper sanitization. On
the frontend, comment and bundle descriptions were converted from
Markdown to HTML and then injected directly into the DOM using string
templates and innerHTML. This combination allowed an attacker who could
create or edit comments or bundles to store crafted HTML/JavaScript
payloads which would later be rendered and executed in the browser of
any user visiting the affected profile page (user.html).
This issue affects Vulnerability-Lookup: before 2.18.0.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T12:27:00.493206Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T12:27:15.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vulnerability-Lookup",
"vendor": "CIRCL",
"versions": [
{
"lessThan": "2.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\n\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\nIn affected versions, vulnerability-lookup handled user-controlled \ncontent in comments and bundles in an unsafe way, which could lead to \nstored Cross-Site Scripting (XSS).\n\n\n\n\nOn the backend, the related_vulnerabilities field of bundles accepted \narbitrary strings without format validation or proper sanitization. On \nthe frontend, comment and bundle descriptions were converted from \nMarkdown to HTML and then injected directly into the DOM using string \ntemplates and innerHTML. This combination allowed an attacker who could \ncreate or edit comments or bundles to store crafted HTML/JavaScript \npayloads which would later be rendered and executed in the browser of \nany user visiting the affected profile page (user.html).\u0026nbsp;\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003cp\u003eThis issue affects Vulnerability-Lookup: before 2.18.0.\u003c/p\u003e"
}
],
"value": "In affected versions, vulnerability-lookup handled user-controlled \ncontent in comments and bundles in an unsafe way, which could lead to \nstored Cross-Site Scripting (XSS).\n\n\n\n\nOn the backend, the related_vulnerabilities field of bundles accepted \narbitrary strings without format validation or proper sanitization. On \nthe frontend, comment and bundle descriptions were converted from \nMarkdown to HTML and then injected directly into the DOM using string \ntemplates and innerHTML. This combination allowed an attacker who could \ncreate or edit comments or bundles to store crafted HTML/JavaScript \npayloads which would later be rendered and executed in the browser of \nany user visiting the affected profile page (user.html).\u00a0\n\n\n\n\n\n\n\nThis issue affects Vulnerability-Lookup: before 2.18.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T12:15:15.950Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0035"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CSRF vulnerability in CIRCL Vulnerability-Lookup",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2025-42620",
"datePublished": "2025-12-08T12:15:15.950Z",
"dateReserved": "2025-04-16T12:34:02.867Z",
"dateUpdated": "2025-12-08T12:27:15.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-42616 (GCVE-0-2025-42616)
Vulnerability from cvelistv5
Published
2025-12-08 12:09
Modified
2025-12-08 14:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Some endpoints in vulnerability-lookup that modified
application state (e.g. changing database entries, user data,
configurations, or other privileged actions) may have been accessible
via HTTP GET requests without requiring a CSRF token. This flaw leaves
the application vulnerable to Cross-Site Request Forgery (CSRF) attacks:
an attacker who tricks a logged-in user into visiting a malicious
website could cause the user’s browser to issue GET requests that
perform unintended state-changing operations in the context of their
authenticated session.
Because the server would treat these GET requests as valid (since no
CSRF protection or POST method enforcement was in place), the attacker
could exploit this to escalate privileges, change settings, or carry out
other unauthorized actions without needing the user’s explicit consent
or awareness.
The fix ensures that all state-changing endpoints now require HTTP POST
requests and include a valid CSRF token. This enforces that state
changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T14:46:29.136113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T14:46:41.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vulnerability-Lookup",
"vendor": "CIRCL",
"versions": [
{
"lessThan": "2.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003eSome endpoints in vulnerability-lookup that modified \napplication state (e.g. changing database entries, user data, \nconfigurations, or other privileged actions) may have been accessible \nvia HTTP GET requests without requiring a CSRF token. This flaw leaves \nthe application vulnerable to Cross-Site Request Forgery (CSRF) attacks:\n an attacker who tricks a logged-in user into visiting a malicious \nwebsite could cause the user\u2019s browser to issue GET requests that \nperform unintended state-changing operations in the context of their \nauthenticated session.\n\n\nBecause the server would treat these GET requests as valid (since no \nCSRF protection or POST method enforcement was in place), the attacker \ncould exploit this to escalate privileges, change settings, or carry out\n other unauthorized actions without needing the user\u2019s explicit consent \nor awareness.\u0026nbsp;\u003cbr\u003eThe fix ensures that all state-changing endpoints now require HTTP POST \nrequests and include a valid CSRF token. This enforces that state \nchanges cannot be triggered by arbitrary cross-site GET requests.\u0026nbsp;This issue affects Vulnerability-Lookup: before 2.18.0.\u003c/div\u003e"
}
],
"value": "Some endpoints in vulnerability-lookup that modified \napplication state (e.g. changing database entries, user data, \nconfigurations, or other privileged actions) may have been accessible \nvia HTTP GET requests without requiring a CSRF token. This flaw leaves \nthe application vulnerable to Cross-Site Request Forgery (CSRF) attacks:\n an attacker who tricks a logged-in user into visiting a malicious \nwebsite could cause the user\u2019s browser to issue GET requests that \nperform unintended state-changing operations in the context of their \nauthenticated session.\n\n\nBecause the server would treat these GET requests as valid (since no \nCSRF protection or POST method enforcement was in place), the attacker \ncould exploit this to escalate privileges, change settings, or carry out\n other unauthorized actions without needing the user\u2019s explicit consent \nor awareness.\u00a0\nThe fix ensures that all state-changing endpoints now require HTTP POST \nrequests and include a valid CSRF token. This enforces that state \nchanges cannot be triggered by arbitrary cross-site GET requests.\u00a0This issue affects Vulnerability-Lookup: before 2.18.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T12:58:58.408Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0034"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CSRF vulnerability in CIRCL Vulnerability-Lookup",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2025-42616",
"datePublished": "2025-12-08T12:09:22.893Z",
"dateReserved": "2025-04-16T12:34:02.866Z",
"dateUpdated": "2025-12-08T14:46:41.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-42615 (GCVE-0-2025-42615)
Vulnerability from cvelistv5
Published
2025-12-08 12:01
Modified
2025-12-08 20:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Summary
In affected versions, vulnerability-lookup did not track or limit failed
One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)
verification. An attacker who already knew or guessed a valid username
and password could submit an arbitrary number of OTP codes without
causing the account to be locked or generating any specific alert for
administrators.
This lack of rate-limiting and lockout on OTP failures significantly
lowers the cost of online brute-force attacks against 2FA codes and
increases the risk of successful account takeover, especially if OTP
entropy is reduced (e.g. short numeric codes, user reuse, or predictable
tokens). Additionally, administrators had no direct visibility into
accounts experiencing repeated 2FA failures, making targeted attacks
harder to detect and investigate.
The patch introduces a persistent failed_otp_attempts counter on user
accounts, locks the user after 5 invalid OTP submissions, resets the
counter on successful verification, and surfaces failed 2FA attempts in
the admin user list. This enforces an account lockout policy for OTP
brute-force attempts and improves monitoring capabilities for suspicious
2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T16:58:48.964002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T20:10:21.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vulnerability-Lookup",
"vendor": "CIRCL",
"versions": [
{
"lessThan": "2.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions, vulnerability-lookup did not track or limit failed\n One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)\n verification. An attacker who already knew or guessed a valid username \nand password could submit an arbitrary number of OTP codes without \ncausing the account to be locked or generating any specific alert for \nadministrators.\n\n\nThis lack of rate-limiting and lockout on OTP failures significantly \nlowers the cost of online brute-force attacks against 2FA codes and \nincreases the risk of successful account takeover, especially if OTP \nentropy is reduced (e.g. short numeric codes, user reuse, or predictable\n tokens). Additionally, administrators had no direct visibility into \naccounts experiencing repeated 2FA failures, making targeted attacks \nharder to detect and investigate.\n\n\nThe patch introduces a persistent failed_otp_attempts counter on user \naccounts, locks the user after 5 invalid OTP submissions, resets the \ncounter on successful verification, and surfaces failed 2FA attempts in \nthe admin user list. This enforces an account lockout policy for OTP \nbrute-force attempts and improves monitoring capabilities for suspicious\n 2FA activity.\u003cp\u003eThis issue affects Vulnerability-Lookup: before 2.18.0.\u003c/p\u003e"
}
],
"value": "In affected versions, vulnerability-lookup did not track or limit failed\n One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)\n verification. An attacker who already knew or guessed a valid username \nand password could submit an arbitrary number of OTP codes without \ncausing the account to be locked or generating any specific alert for \nadministrators.\n\n\nThis lack of rate-limiting and lockout on OTP failures significantly \nlowers the cost of online brute-force attacks against 2FA codes and \nincreases the risk of successful account takeover, especially if OTP \nentropy is reduced (e.g. short numeric codes, user reuse, or predictable\n tokens). Additionally, administrators had no direct visibility into \naccounts experiencing repeated 2FA failures, making targeted attacks \nharder to detect and investigate.\n\n\nThe patch introduces a persistent failed_otp_attempts counter on user \naccounts, locks the user after 5 invalid OTP submissions, resets the \ncounter on successful verification, and surfaces failed 2FA attempts in \nthe admin user list. This enforces an account lockout policy for OTP \nbrute-force attempts and improves monitoring capabilities for suspicious\n 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T12:01:05.831Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0033"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2025-42615",
"datePublished": "2025-12-08T12:01:05.831Z",
"dateReserved": "2025-04-16T12:34:02.866Z",
"dateUpdated": "2025-12-08T20:10:21.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}