Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for VINCE by CERT/CC

    CVE-2026-8142 (GCVE-0-2026-8142)

    Vulnerability from nvd – Published: 2026-05-07 19:54 – Updated: 2026-06-05 16:26
    VLAI
    Title
    CVE-2026-8142
    Summary
    VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    CERT/CC VINCE Affected: * , ≤ 3.0.38 (semver)
    Create a notification for this product.
    Credits
    Thanks to Guillem Lefait guillem@datamq.com for reporting the issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8142",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:54:55.991111Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:55:16.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "VINCE",
              "vendor": "CERT/CC",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.38",
                  "status": "affected",
                  "version": "*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thanks to Guillem Lefait guillem@datamq.com for reporting the issue"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T16:26:58.167Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "url": "https://kb.cert.org/vince"
            },
            {
              "url": "https://github.com/CERTCC/VINCE"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "CVE-2026-8142",
          "x_generator": {
            "engine": "VINCE 3.0.39",
            "env": "prod",
            "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8142"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2026-8142",
        "datePublished": "2026-05-07T19:54:49.275Z",
        "dateReserved": "2026-05-07T19:50:29.029Z",
        "dateUpdated": "2026-06-05T16:26:58.167Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10469 (GCVE-0-2024-10469)

    Vulnerability from nvd – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
    VLAI
    Title
    CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
    Summary
    VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    References
    Impacted products
    Vendor Product Version
    CERT/CC VINCE Affected: * , < 3.0.9 (semver)
    Create a notification for this product.
    Credits
    This issues was reported by an internal user of VINCE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10469",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-09T20:33:48.131122Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-17T16:23:01.349Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "VINCE",
              "vendor": "CERT/CC",
              "versions": [
                {
                  "lessThan": "3.0.9",
                  "status": "affected",
                  "version": "*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issues was reported by an internal user of VINCE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-25T22:10:00.825Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VINCE Project open source repository",
              "url": "https://github.com/CERTCC/VINCE/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
          "x_generator": {
            "engine": "cveClient/1.0.15"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2024-10469",
        "datePublished": "2024-10-28T15:38:29.062Z",
        "dateReserved": "2024-10-28T15:20:34.868Z",
        "dateUpdated": "2025-08-25T22:10:00.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-8142 (GCVE-0-2026-8142)

    Vulnerability from cvelistv5 – Published: 2026-05-07 19:54 – Updated: 2026-06-05 16:26
    VLAI
    Title
    CVE-2026-8142
    Summary
    VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    CERT/CC VINCE Affected: * , ≤ 3.0.38 (semver)
    Create a notification for this product.
    Credits
    Thanks to Guillem Lefait guillem@datamq.com for reporting the issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8142",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:54:55.991111Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:55:16.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "VINCE",
              "vendor": "CERT/CC",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.38",
                  "status": "affected",
                  "version": "*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thanks to Guillem Lefait guillem@datamq.com for reporting the issue"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T16:26:58.167Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "url": "https://kb.cert.org/vince"
            },
            {
              "url": "https://github.com/CERTCC/VINCE"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "CVE-2026-8142",
          "x_generator": {
            "engine": "VINCE 3.0.39",
            "env": "prod",
            "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8142"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2026-8142",
        "datePublished": "2026-05-07T19:54:49.275Z",
        "dateReserved": "2026-05-07T19:50:29.029Z",
        "dateUpdated": "2026-06-05T16:26:58.167Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10469 (GCVE-0-2024-10469)

    Vulnerability from cvelistv5 – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
    VLAI
    Title
    CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
    Summary
    VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    References
    Impacted products
    Vendor Product Version
    CERT/CC VINCE Affected: * , < 3.0.9 (semver)
    Create a notification for this product.
    Credits
    This issues was reported by an internal user of VINCE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10469",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-09T20:33:48.131122Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-17T16:23:01.349Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "VINCE",
              "vendor": "CERT/CC",
              "versions": [
                {
                  "lessThan": "3.0.9",
                  "status": "affected",
                  "version": "*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issues was reported by an internal user of VINCE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-25T22:10:00.825Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VINCE Project open source repository",
              "url": "https://github.com/CERTCC/VINCE/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
          "x_generator": {
            "engine": "cveClient/1.0.15"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2024-10469",
        "datePublished": "2024-10-28T15:38:29.062Z",
        "dateReserved": "2024-10-28T15:20:34.868Z",
        "dateUpdated": "2025-08-25T22:10:00.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }