Skip to content

Commit

Permalink
3 changes (3 new | 0 updated):
Browse files Browse the repository at this point in the history 
      - 3 new CVEs:  CVE-2025-1022, CVE-2025-1025, CVE-2025-1026
      - 0 updated CVEs:
  • Loading branch information
cvelistV5 Github Action committed Feb 5, 2025
1 parent d4e9aa8 commit d37e770
Show file tree
Hide file tree
Showing 5 changed files with 383 additions and 8 deletions.
110 changes: 110 additions & 0 deletions cves/2025/1xxx/CVE-2025-1022.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2025-1022",
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"state": "PUBLISHED",
"assignerShortName": "snyk",
"dateReserved": "2025-02-04T10:20:48.623Z",
"datePublished": "2025-02-05T05:00:15.399Z",
"dateUpdated": "2025-02-05T05:00:15.399Z"
},
"containers": {
"cna": {
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P"
},
"cvssV4_0": {
"version": "4.0",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"subAvailabilityImpact": "NONE",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"
}
}
],
"credits": [
{
"value": "Ee Yang Tee",
"lang": "en"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk",
"dateUpdated": "2025-02-05T05:00:15.399Z"
},
"descriptions": [
{
"value": "Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.",
"lang": "en"
}
],
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496747"
},
{
"url": "https://github.com/spatie/browsershot/commit/bcfd608b264fab654bf78e199bdfbb03e9323eb7"
},
{
"url": "https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72"
},
{
"url": "https://gist.github.com/mrdgef/a820837c530e09e1dd725e013e0d4341"
}
],
"affected": [
{
"product": "spatie/browsershot",
"versions": [
{
"version": "0",
"lessThan": "5.0.5",
"status": "affected",
"versionType": "semver"
}
],
"vendor": "n/a"
}
]
}
}
}
110 changes: 110 additions & 0 deletions cves/2025/1xxx/CVE-2025-1025.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2025-1025",
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"state": "PUBLISHED",
"assignerShortName": "snyk",
"dateReserved": "2025-02-04T10:37:52.454Z",
"datePublished": "2025-02-05T05:00:16.269Z",
"dateUpdated": "2025-02-05T05:00:16.269Z"
},
"containers": {
"cna": {
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P"
},
"cvssV4_0": {
"version": "4.0",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"subAvailabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"
}
}
],
"credits": [
{
"value": "Chi Siang Choo",
"lang": "en"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Arbitrary File Upload",
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk",
"dateUpdated": "2025-02-05T05:00:16.269Z"
},
"descriptions": [
{
"value": "Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.",
"lang": "en"
}
],
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-PHP-COCKPITHQCOCKPIT-8516320"
},
{
"url": "https://github.com/Cockpit-HQ/Cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592"
},
{
"url": "https://github.com/Cockpit-HQ/Cockpit/commit/984ef9ad270357b843af63c81db95178eae42cae"
},
{
"url": "https://gist.github.com/CHOOCS/fe1227443544d5d74c33982814f290af"
}
],
"affected": [
{
"product": "cockpit-hq/cockpit",
"versions": [
{
"version": "0",
"lessThan": "2.4.1",
"status": "affected",
"versionType": "semver"
}
],
"vendor": "n/a"
}
]
}
}
}
117 changes: 117 additions & 0 deletions cves/2025/1xxx/CVE-2025-1026.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2025-1026",
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"state": "PUBLISHED",
"assignerShortName": "snyk",
"dateReserved": "2025-02-04T13:38:43.390Z",
"datePublished": "2025-02-05T05:00:01.940Z",
"dateUpdated": "2025-02-05T05:00:01.940Z"
},
"containers": {
"cna": {
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P"
},
"cvssV4_0": {
"version": "4.0",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"subAvailabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"
}
}
],
"credits": [
{
"value": "Chua Jian Shen",
"lang": "en"
},
{
"value": "Ee Yang Tee",
"lang": "en"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk",
"dateUpdated": "2025-02-05T05:00:01.940Z"
},
"descriptions": [
{
"value": "Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files.\r\r**Note:**\r\rThis is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).",
"lang": "en"
}
],
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533024"
},
{
"url": "https://gist.github.com/chuajianshen/6291920112fcf1543fa7b43862112be6"
},
{
"url": "https://github.com/spatie/browsershot/pull/908"
},
{
"url": "https://gist.github.com/mrdgef/54a8783408220c67c1b859df38a52d65"
},
{
"url": "https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72"
}
],
"affected": [
{
"product": "spatie/browsershot",
"versions": [
{
"version": "0",
"lessThan": "5.0.5",
"status": "affected",
"versionType": "semver"
}
],
"vendor": "n/a"
}
]
}
}
}
28 changes: 20 additions & 8 deletions cves/delta.json
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,26 @@
{
"fetchTime": "2025-02-05T04:58:51.874Z",
"numberOfChanges": 1,
"new": [],
"updated": [
"fetchTime": "2025-02-05T05:07:26.666Z",
"numberOfChanges": 3,
"new": [
{
"cveId": "CVE-2025-25246",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2025-25246",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/25xxx/CVE-2025-25246.json",
"dateUpdated": "2025-02-05T04:52:42.145Z"
"cveId": "CVE-2025-1022",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2025-1022",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/1xxx/CVE-2025-1022.json",
"dateUpdated": "2025-02-05T05:00:15.399Z"
},
{
"cveId": "CVE-2025-1025",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2025-1025",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/1xxx/CVE-2025-1025.json",
"dateUpdated": "2025-02-05T05:00:16.269Z"
},
{
"cveId": "CVE-2025-1026",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2025-1026",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/1xxx/CVE-2025-1026.json",
"dateUpdated": "2025-02-05T05:00:01.940Z"
}
],
"updated": [],
"error": []
}
Loading

0 comments on commit d37e770

Please sign in to comment.