Search criteria
14 vulnerabilities found for nGrinder by NAVER
CVE-2024-28216 (GCVE-0-2024-28216)
Vulnerability from nvd – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:17
VLAI?
Summary
nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28216.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:41:17.619047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:42:34.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T04:17:45.466Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28216.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28216",
"datePublished": "2024-03-07T04:50:15.338Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-09-06T04:17:45.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28215 (GCVE-0-2024-28215)
Vulnerability from nvd – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:15
VLAI?
Summary
nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28215.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T18:35:15.864891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:18:55.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T04:15:12.049Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28215.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28215",
"datePublished": "2024-03-07T04:50:08.422Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-09-06T04:15:12.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28214 (GCVE-0-2024-28214)
Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-11-08 17:07
VLAI?
Summary
nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.
Severity ?
CWE
- CWE-405 - Asymmetric Resource Consumption (Amplification)
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28214.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:46:08.193153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T17:07:55.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T04:12:38.448Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28214.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28214",
"datePublished": "2024-03-07T04:49:57.531Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-11-08T17:07:55.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28213 (GCVE-0-2024-28213)
Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-08-22 20:01
VLAI?
Summary
nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28213.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T18:59:00.791879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T20:01:34.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28213.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28213",
"datePublished": "2024-03-07T04:49:47.237Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-08-22T20:01:34.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28212 (GCVE-0-2024-28212)
Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-08-12 19:41
VLAI?
Summary
nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28212.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T19:41:37.787067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:41:41.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28212.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28212",
"datePublished": "2024-03-07T04:49:37.921Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-08-12T19:41:41.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28211 (GCVE-0-2024-28211)
Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-08-05 20:05
VLAI?
Summary
nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28211.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:03:53.607719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:05:34.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28211.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28211",
"datePublished": "2024-03-07T04:49:21.951Z",
"dateReserved": "2024-03-07T02:38:58.220Z",
"dateUpdated": "2024-08-05T20:05:34.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-5060 (GCVE-0-2016-5060)
Vulnerability from nvd – Published: 2016-12-13 22:00 – Updated: 2024-08-06 00:46
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:46:40.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
},
{
"name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/23"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/naver/ngrinder/issues/103"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-13T21:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
},
{
"name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/23"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/naver/ngrinder/issues/103"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-5060",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525",
"refsource": "CONFIRM",
"url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
},
{
"name": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
},
{
"name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Jun/23"
},
{
"name": "https://github.com/naver/ngrinder/issues/103",
"refsource": "CONFIRM",
"url": "https://github.com/naver/ngrinder/issues/103"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-5060",
"datePublished": "2016-12-13T22:00:00",
"dateReserved": "2016-05-26T00:00:00",
"dateUpdated": "2024-08-06T00:46:40.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28216 (GCVE-0-2024-28216)
Vulnerability from cvelistv5 – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:17
VLAI?
Summary
nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28216.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:41:17.619047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:42:34.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T04:17:45.466Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28216.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28216",
"datePublished": "2024-03-07T04:50:15.338Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-09-06T04:17:45.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28215 (GCVE-0-2024-28215)
Vulnerability from cvelistv5 – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:15
VLAI?
Summary
nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28215.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T18:35:15.864891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:18:55.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T04:15:12.049Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28215.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28215",
"datePublished": "2024-03-07T04:50:08.422Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-09-06T04:15:12.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28214 (GCVE-0-2024-28214)
Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-11-08 17:07
VLAI?
Summary
nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.
Severity ?
CWE
- CWE-405 - Asymmetric Resource Consumption (Amplification)
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28214.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:46:08.193153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T17:07:55.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T04:12:38.448Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28214.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28214",
"datePublished": "2024-03-07T04:49:57.531Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-11-08T17:07:55.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28213 (GCVE-0-2024-28213)
Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-08-22 20:01
VLAI?
Summary
nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28213.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T18:59:00.791879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T20:01:34.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28213.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28213",
"datePublished": "2024-03-07T04:49:47.237Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-08-22T20:01:34.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28212 (GCVE-0-2024-28212)
Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-08-12 19:41
VLAI?
Summary
nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28212.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T19:41:37.787067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:41:41.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28212.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28212",
"datePublished": "2024-03-07T04:49:37.921Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-08-12T19:41:41.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28211 (GCVE-0-2024-28211)
Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-08-05 20:05
VLAI?
Summary
nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Credits
Peter Stöckli of GitHub Security Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28211.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "ngrinder",
"vendor": "naver",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:03:53.607719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:05:34.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28211.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28211",
"datePublished": "2024-03-07T04:49:21.951Z",
"dateReserved": "2024-03-07T02:38:58.220Z",
"dateUpdated": "2024-08-05T20:05:34.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-5060 (GCVE-0-2016-5060)
Vulnerability from cvelistv5 – Published: 2016-12-13 22:00 – Updated: 2024-08-06 00:46
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:46:40.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
},
{
"name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/23"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/naver/ngrinder/issues/103"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-13T21:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
},
{
"name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/23"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/naver/ngrinder/issues/103"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-5060",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525",
"refsource": "CONFIRM",
"url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
},
{
"name": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
},
{
"name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Jun/23"
},
{
"name": "https://github.com/naver/ngrinder/issues/103",
"refsource": "CONFIRM",
"url": "https://github.com/naver/ngrinder/issues/103"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-5060",
"datePublished": "2016-12-13T22:00:00",
"dateReserved": "2016-05-26T00:00:00",
"dateUpdated": "2024-08-06T00:46:40.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}