Updated advisory posts against rubysec/ruby-advisory-db@c397acb

jasnow · RubySec CI · commit 7eab3946ae38 · 2024-08-14T19:27:52.000Z
diff --git a/advisories/_posts/2024-07-25-CVE-2024-7106.md b/advisories/_posts/2024-07-25-CVE-2024-7106.md
@@ -0,0 +1,42 @@
+---
+layout: advisory
+title: 'CVE-2024-7106 (spina): Cross-Site Request Forgery in Spina'
+comments: false
+categories:
+- spina
+advisory:
+  gem: spina
+  cve: 2024-7106
+  ghsa: wqw3-p83g-r24v
+  url: https://github.com/advisories/GHSA-wqw3-p83g-r24v
+  title: Cross-Site Request Forgery in Spina
+  date: 2024-07-25
+  description: |
+    A vulnerability classified as problematic was found in
+    Spina CMS 2.18.0.
+
+    Affected by this vulnerability is an unknown functionality
+    of the file /admin/media_folders.
+
+    The manipulation leads to cross-site request forgery.
+    The attack can be launched remotely.
+
+    The exploit has been disclosed to the public and may be used.
+
+    The associated identifier of this vulnerability is VDB-272431.
+
+    NOTE: The vendor was contacted early about this disclosure
+    but did not respond in any way.
+  cvss_v2: 5.0
+  cvss_v3: 4.3
+  cvss_v4: 6.9
+  notes: Never patched
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-7106
+    - https://github.com/topsky979/Security-Collections/blob/main/cve3/README.md
+    - https://vuldb.com/?ctiid.272431
+    - https://vuldb.com/?id.272431
+    - https://vuldb.com/?submit.376769
+    - https://github.com/advisories/GHSA-wqw3-p83g-r24v
+---
diff --git a/advisories/_posts/2024-08-13-CVE-2024-42360.md b/advisories/_posts/2024-08-13-CVE-2024-42360.md
@@ -0,0 +1,36 @@
+---
+layout: advisory
+title: 'CVE-2024-42360 (sequenceserver): Command Injection in sequenceserver gem'
+comments: false
+categories:
+- sequenceserver
+advisory:
+  gem: sequenceserver
+  cve: 2024-42360
+  ghsa: qv32-5wm2-p32h
+  url: https://github.com/wurmlab/sequenceserver/security/advisories/GHSA-qv32-5wm2-p32h
+  title: Command Injection in sequenceserver gem
+  date: 2024-08-13
+  description: |
+    ### Impact
+
+    Several HTTP endpoints did not properly sanitize user input
+    and/or query parameters. This could be exploited to inject
+    and run unwanted shell commands
+
+    ### Patches
+
+    Fixed in 3.1.2
+
+    ### Workarounds
+
+    No known workarounds
+  cvss_v3: 9.8
+  patched_versions:
+  - ">= 3.1.2"
+  related:
+    url:
+    - https://github.com/wurmlab/sequenceserver/security/advisories/GHSA-qv32-5wm2-p32h
+    - https://github.com/wurmlab/sequenceserver/commit/457e52709f7f9ed2fceed59b3db564cb50785dba
+    - https://github.com/advisories/GHSA-qv32-5wm2-p32h
+---
