Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by edito

    CVE-2024-4836 (GCVE-0-2024-4836)

    Vulnerability from nvd – Published: 2024-07-02 08:44 – Updated: 2024-08-01 20:55
    VLAI
    Title
    LFI in sites managed by Edito CMS
    Summary
    Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    References
    Impacted products
    Vendor Product Version
    Edito Edito CMS Affected: 3.5 , ≤ 3.25 (semver)
    Create a notification for this product.
    edito edito_cms Affected: 3.25 , ≤ 3.5 (semver)
        cpe:2.3:a:edito:edito_cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-02 08:43
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:edito:edito_cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "edito_cms",
                "vendor": "edito",
                "versions": [
                  {
                    "lessThanOrEqual": "3.5",
                    "status": "affected",
                    "version": "3.25",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4836",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-02T18:15:33.246242Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-02T18:18:27.772Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:09.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.edito.pl/"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/en/posts/2024/07/CVE-2024-4836"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/posts/2024/07/CVE-2024-4836"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Edito CMS",
              "vendor": "Edito",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "patch 10.01.2014",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.25",
                  "status": "affected",
                  "version": "3.5",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2024-07-02T08:43:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user.\u003cbr\u003eThe issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected."
                }
              ],
              "value": "Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user.\nThe issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-252 PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "CWE-552 Files or Directories Accessible to External Parties",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-02T08:44:05.732Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.edito.pl/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2024/07/CVE-2024-4836"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/posts/2024/07/CVE-2024-4836"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "LFI in sites managed by Edito CMS",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is possible to disable access to sensitive files by using a modified configuration template provided by the vendor.\u0026nbsp;"
                }
              ],
              "value": "It is possible to disable access to sensitive files by using a modified configuration template provided by the vendor."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2024-4836",
        "datePublished": "2024-07-02T08:44:05.732Z",
        "dateReserved": "2024-05-13T10:34:57.036Z",
        "dateUpdated": "2024-08-01T20:55:09.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-4836 (GCVE-0-2024-4836)

    Vulnerability from cvelistv5 – Published: 2024-07-02 08:44 – Updated: 2024-08-01 20:55
    VLAI
    Title
    LFI in sites managed by Edito CMS
    Summary
    Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    References
    Impacted products
    Vendor Product Version
    Edito Edito CMS Affected: 3.5 , ≤ 3.25 (semver)
    Create a notification for this product.
    edito edito_cms Affected: 3.25 , ≤ 3.5 (semver)
        cpe:2.3:a:edito:edito_cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-02 08:43
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:edito:edito_cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "edito_cms",
                "vendor": "edito",
                "versions": [
                  {
                    "lessThanOrEqual": "3.5",
                    "status": "affected",
                    "version": "3.25",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4836",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-02T18:15:33.246242Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-02T18:18:27.772Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:09.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.edito.pl/"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/en/posts/2024/07/CVE-2024-4836"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/posts/2024/07/CVE-2024-4836"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Edito CMS",
              "vendor": "Edito",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "patch 10.01.2014",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.25",
                  "status": "affected",
                  "version": "3.5",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2024-07-02T08:43:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user.\u003cbr\u003eThe issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected."
                }
              ],
              "value": "Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user.\nThe issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-252 PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "CWE-552 Files or Directories Accessible to External Parties",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-02T08:44:05.732Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.edito.pl/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2024/07/CVE-2024-4836"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/posts/2024/07/CVE-2024-4836"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "LFI in sites managed by Edito CMS",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is possible to disable access to sensitive files by using a modified configuration template provided by the vendor.\u0026nbsp;"
                }
              ],
              "value": "It is possible to disable access to sensitive files by using a modified configuration template provided by the vendor."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2024-4836",
        "datePublished": "2024-07-02T08:44:05.732Z",
        "dateReserved": "2024-05-13T10:34:57.036Z",
        "dateUpdated": "2024-08-01T20:55:09.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }