Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
12 vulnerabilities found for vince by cert
CVE-2024-10469 (GCVE-0-2024-10469)
Vulnerability from nvd – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
VLAI?
Title
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
Severity ?
4.4 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
This issues was reported by an internal user of VINCE
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T20:33:48.131122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:23:01.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issues was reported by an internal user of VINCE"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T22:10:00.825Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VINCE Project open source repository",
"url": "https://github.com/CERTCC/VINCE/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-10469",
"datePublished": "2024-10-28T15:38:29.062Z",
"dateReserved": "2024-10-28T15:20:34.868Z",
"dateUpdated": "2025-08-25T22:10:00.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9953 (GCVE-0-2024-9953)
Vulnerability from nvd – Published: 2024-10-14 21:19 – Updated: 2025-03-20 18:58
VLAI?
Title
Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8
Summary
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
Severity ?
4.9 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - Vulnerability Information and Coordination Environment |
Affected:
* , < 3.0.8
(custom)
|
Credits
Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-9953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:41:05.626356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:58:47.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE - Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process."
}
],
"descriptions": [
{
"lang": "en",
"value": "A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user\u2019s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:14:26.539Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERT/CC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-9953",
"datePublished": "2024-10-14T21:19:26.517Z",
"dateReserved": "2024-10-14T20:49:18.194Z",
"dateUpdated": "2025-03-20T18:58:47.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40238 (GCVE-0-2022-40238)
Vulnerability from nvd – Published: 2022-10-26 15:15 – Updated: 2025-05-07 13:31
VLAI?
Title
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5
Summary
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.5
(custom)
|
Credits
Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:31:11.683062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:31:41.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.5",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC "
}
],
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user\u0027s profile. This can lead to code execution on the server when the user\u0027s profile is accessed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:36:54.112Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40238",
"datePublished": "2022-10-26T15:15:45.247Z",
"dateReserved": "2022-09-08T19:14:18.690Z",
"dateUpdated": "2025-05-07T13:31:41.213Z",
"requesterUserId": "b7e00183-089e-4194-bbe8-4b7d6adf6c7f",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40257 (GCVE-0-2022-40257)
Vulnerability from nvd – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Date Public ?
2022-10-10 00:00
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:41.256Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40257",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-09-08T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40248 (GCVE-0-2022-40248)
Vulnerability from nvd – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Date Public ?
2022-10-10 00:00
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the \"Product Affected\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:23.260Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40248",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-09-08T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25799 (GCVE-0-2022-25799)
Vulnerability from nvd – Published: 2022-08-16 22:00 – Updated: 2024-09-17 02:06
VLAI?
Title
An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0
Summary
An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.
Severity ?
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.50.0 , < 1.50.0
(custom)
|
Date Public ?
2022-10-05 00:00
Credits
Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.0",
"status": "affected",
"version": "1.50.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user\u0027s browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user\u0027s credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0"
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-25799",
"datePublished": "2022-08-16T22:00:15.993Z",
"dateReserved": "2022-02-22T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:51.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10469 (GCVE-0-2024-10469)
Vulnerability from cvelistv5 – Published: 2024-10-28 15:38 – Updated: 2025-08-25 22:10
VLAI?
Title
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.
Summary
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.
Severity ?
4.4 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
This issues was reported by an internal user of VINCE
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T20:33:48.131122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:23:01.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issues was reported by an internal user of VINCE"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T22:10:00.825Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VINCE Project open source repository",
"url": "https://github.com/CERTCC/VINCE/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-10469",
"datePublished": "2024-10-28T15:38:29.062Z",
"dateReserved": "2024-10-28T15:20:34.868Z",
"dateUpdated": "2025-08-25T22:10:00.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9953 (GCVE-0-2024-9953)
Vulnerability from cvelistv5 – Published: 2024-10-14 21:19 – Updated: 2025-03-20 18:58
VLAI?
Title
Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8
Summary
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
Severity ?
4.9 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - Vulnerability Information and Coordination Environment |
Affected:
* , < 3.0.8
(custom)
|
Credits
Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-9953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:41:05.626356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:58:47.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VINCE - Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to security researcher @coldwaterhq (https://github.com/coldwaterhq) for reporting this vulnerability and adhering to the responsible disclosure process."
}
],
"descriptions": [
{
"lang": "en",
"value": "A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user\u2019s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:14:26.539Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERT/CC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-9953",
"datePublished": "2024-10-14T21:19:26.517Z",
"dateReserved": "2024-10-14T20:49:18.194Z",
"dateUpdated": "2025-03-20T18:58:47.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40238 (GCVE-0-2022-40238)
Vulnerability from cvelistv5 – Published: 2022-10-26 15:15 – Updated: 2025-05-07 13:31
VLAI?
Title
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5
Summary
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.5
(custom)
|
Credits
Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:31:11.683062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:31:41.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.5",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC "
}
],
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user\u0027s profile. This can lead to code execution on the server when the user\u0027s profile is accessed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:36:54.112Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "CERTCC GitHub Issues",
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40238",
"datePublished": "2022-10-26T15:15:45.247Z",
"dateReserved": "2022-09-08T19:14:18.690Z",
"dateUpdated": "2025-05-07T13:31:41.213Z",
"requesterUserId": "b7e00183-089e-4194-bbe8-4b7d6adf6c7f",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40257 (GCVE-0-2022-40257)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Date Public ?
2022-10-10 00:00
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:41.256Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40257",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-09-08T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40248 (GCVE-0-2022-40248)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 12:14
VLAI?
Title
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4
Summary
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.48.0 , < 1.50.4
(custom)
|
Date Public ?
2022-10-10 00:00
Credits
Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.4",
"status": "affected",
"version": "1.48.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rapid7 researcher Nick Sanzotta discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the \"Product Affected\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T21:37:23.260Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4",
"x_generator": {
"engine": "cveClient/1.0.13"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-40248",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-09-08T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:14:39.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25799 (GCVE-0-2022-25799)
Vulnerability from cvelistv5 – Published: 2022-08-16 22:00 – Updated: 2024-09-17 02:06
VLAI?
Title
An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0
Summary
An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.
Severity ?
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CERT/CC | VINCE - The Vulnerability Information and Coordination Environment |
Affected:
1.50.0 , < 1.50.0
(custom)
|
Date Public ?
2022-10-05 00:00
Credits
Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VINCE - The Vulnerability Information and Coordination Environment",
"vendor": "CERT/CC",
"versions": [
{
"lessThan": "1.50.0",
"status": "affected",
"version": "1.50.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jonathan Leitschuh discovered and reported this security vulnerability to CERT/CC"
}
],
"datePublic": "2022-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user\u0027s browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user\u0027s credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
},
{
"url": "https://github.com/CERTCC/VINCE/issues/45"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0"
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-25799",
"datePublished": "2022-08-16T22:00:15.993Z",
"dateReserved": "2022-02-22T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:51.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}