Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities by fobybus
CVE-2023-40174 (GCVE-0-2023-40174)
Vulnerability from nvd – Published: 2023-08-18 21:41 – Updated: 2024-10-03 14:16
VLAI
Title
Insufficient Session Expiration in fobybus/social-media-skeleton
Summary
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
< 1.0.5
|
|
| fobybus | social-media-skeleton |
Affected:
0 , < 1.0.5
(custom)
cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T14:13:47.949316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T14:16:00.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user\u0027s session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T21:41:53.666Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a"
}
],
"source": {
"advisory": "GHSA-cr5c-ggwq-g4hq",
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration in fobybus/social-media-skeleton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40174",
"datePublished": "2023-08-18T21:41:53.666Z",
"dateReserved": "2023-08-09T15:26:41.052Z",
"dateUpdated": "2024-10-03T14:16:00.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40173 (GCVE-0-2023-40173)
Vulnerability from nvd – Published: 2023-08-18 21:47 – Updated: 2024-10-02 15:49
VLAI
Title
Unsalted passwords in fobybus/social-media-skeleton
Summary
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Prior to version 1.0.5 Social media skeleton did not properly salt passwords leaving user passwords susceptible to cracking should an attacker gain access to hashed passwords. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
< 1.0.5
|
|
| fobybus | social-media-skeleton |
Affected:
0 , < 1.0.5
(custom)
cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T15:32:14.857051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:49:30.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Prior to version 1.0.5 Social media skeleton did not properly salt passwords leaving user passwords susceptible to cracking should an attacker gain access to hashed passwords. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T21:47:17.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef"
}
],
"source": {
"advisory": "GHSA-rfmv-7m7g-v628",
"discovery": "UNKNOWN"
},
"title": "Unsalted passwords in fobybus/social-media-skeleton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40173",
"datePublished": "2023-08-18T21:47:17.987Z",
"dateReserved": "2023-08-09T15:26:41.051Z",
"dateUpdated": "2024-10-02T15:49:30.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40172 (GCVE-0-2023-40172)
Vulnerability from nvd – Published: 2023-08-18 21:48 – Updated: 2024-10-02 15:36
VLAI
Title
Cross-Site Request Forgery (CSRF) in fobybus/social-media-skeleton
Summary
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. A Cross-site request forgery (CSRF) attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. Prior to version 1.0.5 Social media skeleton did not properly restrict CSRF attacks. This has been addressed in version 1.0.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
< 1.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T15:31:56.610741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:36:25.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. A Cross-site request forgery (CSRF) attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. Prior to version 1.0.5 Social media skeleton did not properly restrict CSRF attacks. This has been addressed in version 1.0.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T21:48:42.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
}
],
"source": {
"advisory": "GHSA-873h-pqjx-3pwg",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) in fobybus/social-media-skeleton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40172",
"datePublished": "2023-08-18T21:48:42.294Z",
"dateReserved": "2023-08-09T15:26:41.051Z",
"dateUpdated": "2024-10-02T15:36:25.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39518 (GCVE-0-2023-39518)
Vulnerability from nvd – Published: 2023-08-08 18:31 – Updated: 2024-10-03 15:53
VLAI
Title
social-media-skeleton stored Cross-site Scripting vulnerability
Summary
social-media-skeleton is an uncompleted social media project implemented using PHP, MySQL, CSS, JavaScript, and HTML. Versions 1.0.0 until 1.0.3 have a stored cross-site scripting vulnerability. The problem is patched in v1.0.3.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/pull/4 | x_refsource_MISC |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
>= 1.0.0, < 1.0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/pull/4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/pull/4"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:53:17.252187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T15:53:26.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "social-media-skeleton is an uncompleted social media project implemented using PHP, MySQL, CSS, JavaScript, and HTML. Versions 1.0.0 until 1.0.3 have a stored cross-site scripting vulnerability. The problem is patched in v1.0.3.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T18:31:36.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/pull/4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/pull/4"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428"
}
],
"source": {
"advisory": "GHSA-2jxx-r967-f76p",
"discovery": "UNKNOWN"
},
"title": "social-media-skeleton stored Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39518",
"datePublished": "2023-08-08T18:31:36.446Z",
"dateReserved": "2023-08-03T16:27:36.261Z",
"dateUpdated": "2024-10-03T15:53:26.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39344 (GCVE-0-2023-39344)
Vulnerability from nvd – Published: 2023-08-04 19:49 – Updated: 2024-10-04 19:37
VLAI
Title
social-media-skeleton vulnerable to Pre-Auth SQLi leading to RCE
Summary
social-media-skeleton is an uncompleted social media project. A SQL injection vulnerability in the project allows UNION based injections, which indirectly leads to remote code execution. Commit 3cabdd35c3d874608883c9eaf9bf69b2014d25c1 contains a fix for this issue.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
= 1.0
|
|
| fobybus | social-media-skeleton |
Affected:
1.0.0
cpe:2.3:a:fobybus:social-media-skeleton:1.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fobybus:social-media-skeleton:1.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39344",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T19:33:58.203192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T19:37:11.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "= 1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "social-media-skeleton is an uncompleted social media project. A SQL injection vulnerability in the project allows UNION based injections, which indirectly leads to remote code execution. Commit 3cabdd35c3d874608883c9eaf9bf69b2014d25c1 contains a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T19:49:19.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1"
}
],
"source": {
"advisory": "GHSA-857x-p6fq-mgfh",
"discovery": "UNKNOWN"
},
"title": "social-media-skeleton vulnerable to Pre-Auth SQLi leading to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39344",
"datePublished": "2023-08-04T19:49:19.948Z",
"dateReserved": "2023-07-28T13:26:46.476Z",
"dateUpdated": "2024-10-04T19:37:11.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40172 (GCVE-0-2023-40172)
Vulnerability from cvelistv5 – Published: 2023-08-18 21:48 – Updated: 2024-10-02 15:36
VLAI
Title
Cross-Site Request Forgery (CSRF) in fobybus/social-media-skeleton
Summary
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. A Cross-site request forgery (CSRF) attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. Prior to version 1.0.5 Social media skeleton did not properly restrict CSRF attacks. This has been addressed in version 1.0.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
< 1.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T15:31:56.610741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:36:25.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. A Cross-site request forgery (CSRF) attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. Prior to version 1.0.5 Social media skeleton did not properly restrict CSRF attacks. This has been addressed in version 1.0.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T21:48:42.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-873h-pqjx-3pwg"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
}
],
"source": {
"advisory": "GHSA-873h-pqjx-3pwg",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) in fobybus/social-media-skeleton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40172",
"datePublished": "2023-08-18T21:48:42.294Z",
"dateReserved": "2023-08-09T15:26:41.051Z",
"dateUpdated": "2024-10-02T15:36:25.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40173 (GCVE-0-2023-40173)
Vulnerability from cvelistv5 – Published: 2023-08-18 21:47 – Updated: 2024-10-02 15:49
VLAI
Title
Unsalted passwords in fobybus/social-media-skeleton
Summary
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Prior to version 1.0.5 Social media skeleton did not properly salt passwords leaving user passwords susceptible to cracking should an attacker gain access to hashed passwords. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
< 1.0.5
|
|
| fobybus | social-media-skeleton |
Affected:
0 , < 1.0.5
(custom)
cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T15:32:14.857051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:49:30.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Prior to version 1.0.5 Social media skeleton did not properly salt passwords leaving user passwords susceptible to cracking should an attacker gain access to hashed passwords. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T21:47:17.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-rfmv-7m7g-v628"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/344d798e82d6cc39844962c6d3cb2560f5907848"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/df31da44ffed3ea065cbbadc3c8052d0d489a2ef"
}
],
"source": {
"advisory": "GHSA-rfmv-7m7g-v628",
"discovery": "UNKNOWN"
},
"title": "Unsalted passwords in fobybus/social-media-skeleton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40173",
"datePublished": "2023-08-18T21:47:17.987Z",
"dateReserved": "2023-08-09T15:26:41.051Z",
"dateUpdated": "2024-10-02T15:49:30.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40174 (GCVE-0-2023-40174)
Vulnerability from cvelistv5 – Published: 2023-08-18 21:41 – Updated: 2024-10-03 14:16
VLAI
Title
Insufficient Session Expiration in fobybus/social-media-skeleton
Summary
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
< 1.0.5
|
|
| fobybus | social-media-skeleton |
Affected:
0 , < 1.0.5
(custom)
cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T14:13:47.949316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T14:16:00.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user\u0027s session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T21:41:53.666Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a"
}
],
"source": {
"advisory": "GHSA-cr5c-ggwq-g4hq",
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration in fobybus/social-media-skeleton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40174",
"datePublished": "2023-08-18T21:41:53.666Z",
"dateReserved": "2023-08-09T15:26:41.052Z",
"dateUpdated": "2024-10-03T14:16:00.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39518 (GCVE-0-2023-39518)
Vulnerability from cvelistv5 – Published: 2023-08-08 18:31 – Updated: 2024-10-03 15:53
VLAI
Title
social-media-skeleton stored Cross-site Scripting vulnerability
Summary
social-media-skeleton is an uncompleted social media project implemented using PHP, MySQL, CSS, JavaScript, and HTML. Versions 1.0.0 until 1.0.3 have a stored cross-site scripting vulnerability. The problem is patched in v1.0.3.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/pull/4 | x_refsource_MISC |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
>= 1.0.0, < 1.0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/pull/4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/pull/4"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:53:17.252187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T15:53:26.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "social-media-skeleton is an uncompleted social media project implemented using PHP, MySQL, CSS, JavaScript, and HTML. Versions 1.0.0 until 1.0.3 have a stored cross-site scripting vulnerability. The problem is patched in v1.0.3.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T18:31:36.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-2jxx-r967-f76p"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/pull/4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/pull/4"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/6765d1109016e1f1d707ef47917927c7704e6428"
}
],
"source": {
"advisory": "GHSA-2jxx-r967-f76p",
"discovery": "UNKNOWN"
},
"title": "social-media-skeleton stored Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39518",
"datePublished": "2023-08-08T18:31:36.446Z",
"dateReserved": "2023-08-03T16:27:36.261Z",
"dateUpdated": "2024-10-03T15:53:26.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39344 (GCVE-0-2023-39344)
Vulnerability from cvelistv5 – Published: 2023-08-04 19:49 – Updated: 2024-10-04 19:37
VLAI
Title
social-media-skeleton vulnerable to Pre-Auth SQLi leading to RCE
Summary
social-media-skeleton is an uncompleted social media project. A SQL injection vulnerability in the project allows UNION based injections, which indirectly leads to remote code execution. Commit 3cabdd35c3d874608883c9eaf9bf69b2014d25c1 contains a fix for this issue.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
= 1.0
|
|
| fobybus | social-media-skeleton |
Affected:
1.0.0
cpe:2.3:a:fobybus:social-media-skeleton:1.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fobybus:social-media-skeleton:1.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39344",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T19:33:58.203192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T19:37:11.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "= 1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "social-media-skeleton is an uncompleted social media project. A SQL injection vulnerability in the project allows UNION based injections, which indirectly leads to remote code execution. Commit 3cabdd35c3d874608883c9eaf9bf69b2014d25c1 contains a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T19:49:19.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-857x-p6fq-mgfh"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/3cabdd35c3d874608883c9eaf9bf69b2014d25c1"
}
],
"source": {
"advisory": "GHSA-857x-p6fq-mgfh",
"discovery": "UNKNOWN"
},
"title": "social-media-skeleton vulnerable to Pre-Auth SQLi leading to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39344",
"datePublished": "2023-08-04T19:49:19.948Z",
"dateReserved": "2023-07-28T13:26:46.476Z",
"dateUpdated": "2024-10-04T19:37:11.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}