Search criteria
4 vulnerabilities found for VINCE by CERT/CC
CVE-2026-8142 (GCVE-0-2026-8142)
Vulnerability from nvd – Published: 2026-05-07 19:54 – Updated: 2026-05-08 13:55
VLAI?
Title
CVE-2026-8142
Summary
VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Severity ?
6.5 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T13:54:55.991111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:55:16.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThanOrEqual": "3.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to Guillem Lefait guillem@datamq.com for reporting the issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:54:49.275Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vince"
},
{
"url": "https://github.com/CERTCC/VINCE"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2026-8142",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8142"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8142",
"datePublished": "2026-05-07T19:54:49.275Z",
"dateReserved": "2026-05-07T19:50:29.029Z",
"dateUpdated": "2026-05-08T13:55:16.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10469 (GCVE-0-2024-10469)
Vulnerability from nvd – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
VLAI?
Title
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
Severity ?
4.4 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/CERTCC/VINCE/ |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T20:33:48.131122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:23:01.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issues was reported by an internal user of VINCE"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T22:10:00.825Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VINCE Project open source repository",
"url": "https://github.com/CERTCC/VINCE/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-10469",
"datePublished": "2024-10-28T15:38:29.062Z",
"dateReserved": "2024-10-28T15:20:34.868Z",
"dateUpdated": "2025-08-25T22:10:00.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-8142 (GCVE-0-2026-8142)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:54 – Updated: 2026-05-08 13:55
VLAI?
Title
CVE-2026-8142
Summary
VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Severity ?
6.5 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T13:54:55.991111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:55:16.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThanOrEqual": "3.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to Guillem Lefait guillem@datamq.com for reporting the issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:54:49.275Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vince"
},
{
"url": "https://github.com/CERTCC/VINCE"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2026-8142",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8142"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8142",
"datePublished": "2026-05-07T19:54:49.275Z",
"dateReserved": "2026-05-07T19:50:29.029Z",
"dateUpdated": "2026-05-08T13:55:16.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10469 (GCVE-0-2024-10469)
Vulnerability from cvelistv5 – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
VLAI?
Title
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
Severity ?
4.4 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/CERTCC/VINCE/ |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T20:33:48.131122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:23:01.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issues was reported by an internal user of VINCE"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T22:10:00.825Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VINCE Project open source repository",
"url": "https://github.com/CERTCC/VINCE/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-10469",
"datePublished": "2024-10-28T15:38:29.062Z",
"dateReserved": "2024-10-28T15:20:34.868Z",
"dateUpdated": "2025-08-25T22:10:00.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}