From ea0ab0e77d2dd93af26f0a0c311746f24ef32219 Mon Sep 17 00:00:00 2001 From: Ruth Cheesley Date: Thu, 14 Jan 2021 20:41:33 +0000 Subject: [PATCH 1/5] Add Mautic directory and include first three CVE reports --- mautic/core/CVE-2020-35124.yaml | 12 ++++++++++++ mautic/core/CVE-2020-35125.yaml | 0 mautic/core/CVE-2021-3142.yaml | 17 +++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 mautic/core/CVE-2020-35124.yaml create mode 100644 mautic/core/CVE-2020-35125.yaml create mode 100644 mautic/core/CVE-2021-3142.yaml diff --git a/mautic/core/CVE-2020-35124.yaml b/mautic/core/CVE-2020-35124.yaml new file mode 100644 index 000000000..f1cd798b7 --- /dev/null +++ b/mautic/core/CVE-2020-35124.yaml @@ -0,0 +1,12 @@ +title: Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access +link: https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 +cve: CVE-2020-35124 +branches: + features: + time: 2021-01-14 17:07:00 + versions: ['>=7.0.0','<7.74'] + 3.2: + time: 2021-01-14 17:07:00 + versions: ['>=8.0.0','<8.1.0'] + +reference: composer://mautic/core diff --git a/mautic/core/CVE-2020-35125.yaml b/mautic/core/CVE-2020-35125.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/mautic/core/CVE-2021-3142.yaml b/mautic/core/CVE-2021-3142.yaml new file mode 100644 index 000000000..b38efd0d7 --- /dev/null +++ b/mautic/core/CVE-2021-3142.yaml @@ -0,0 +1,17 @@ +title: Mautic core - Moderately Critical - XSS vulnerability when creating/editing a company +link: https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 +cve: CVE-2021-3142 +branches: + features: + time: 2021-01-14 17:07:00 + versions: ['<=2.16.4','<=3.2.3'] + 3.2: + time: 2021-01-14 17:07:00 + versions: ['<=2.16.4','<=3.2.3'] + 3.1: + time: 2021-01-14 17:07:00 + versions: ['<=2.16.4','<=3.2.3'] + 2.16: + time: 2021-01-14 17:07:00 + versions: [ '<=2.16.4','<=3.2.3' ] +reference: composer://mautic/core From 3b5cc150730679e2b5cc4d66033ba4045026430f Mon Sep 17 00:00:00 2001 From: Ruth Cheesley Date: Thu, 14 Jan 2021 20:47:20 +0000 Subject: [PATCH 2/5] Always helps to save before committing :facepalm: --- mautic/core/CVE-2020-35124.yaml | 11 ++++++++--- mautic/core/CVE-2020-35125.yaml | 17 +++++++++++++++++ mautic/core/CVE-2021-3142.yaml | 8 ++++---- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/mautic/core/CVE-2020-35124.yaml b/mautic/core/CVE-2020-35124.yaml index f1cd798b7..61726c38e 100644 --- a/mautic/core/CVE-2020-35124.yaml +++ b/mautic/core/CVE-2020-35124.yaml @@ -4,9 +4,14 @@ cve: CVE-2020-35124 branches: features: time: 2021-01-14 17:07:00 - versions: ['>=7.0.0','<7.74'] + versions: ['<=3.2.3'] 3.2: time: 2021-01-14 17:07:00 - versions: ['>=8.0.0','<8.1.0'] - + versions: ['<=3.2.3'] + 3.1: + time: 2021-01-14 17:07:00 + versions: ['<=3.2.3'] + 2.16: + time: 2021-01-14 17:07:00 + versions: [ '<=2.16.4' ] reference: composer://mautic/core diff --git a/mautic/core/CVE-2020-35125.yaml b/mautic/core/CVE-2020-35125.yaml index e69de29bb..e40e5bbe6 100644 --- a/mautic/core/CVE-2020-35125.yaml +++ b/mautic/core/CVE-2020-35125.yaml @@ -0,0 +1,17 @@ +title: Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access +link: https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 +cve: CVE-2020-35125 +branches: + features: + time: 2021-01-14 17:07:00 + versions: ['<=3.2.3'] + 3.2: + time: 2021-01-14 17:07:00 + versions: ['<=3.2.3'] + 3.1: + time: 2021-01-14 17:07:00 + versions: ['<=3.2.3'] + 2.16: + time: 2021-01-14 17:07:00 + versions: [ '<=2.16.4' ] +reference: composer://mautic/core diff --git a/mautic/core/CVE-2021-3142.yaml b/mautic/core/CVE-2021-3142.yaml index b38efd0d7..ba00f322d 100644 --- a/mautic/core/CVE-2021-3142.yaml +++ b/mautic/core/CVE-2021-3142.yaml @@ -4,14 +4,14 @@ cve: CVE-2021-3142 branches: features: time: 2021-01-14 17:07:00 - versions: ['<=2.16.4','<=3.2.3'] + versions: ['<=3.2.3'] 3.2: time: 2021-01-14 17:07:00 - versions: ['<=2.16.4','<=3.2.3'] + versions: ['<=3.2.3'] 3.1: time: 2021-01-14 17:07:00 - versions: ['<=2.16.4','<=3.2.3'] + versions: ['<=3.2.3'] 2.16: time: 2021-01-14 17:07:00 - versions: [ '<=2.16.4','<=3.2.3' ] + versions: [ '<=2.16.4' ] reference: composer://mautic/core From 6e3b2f5d8e43731503bcab47045905db11dfde6a Mon Sep 17 00:00:00 2001 From: Ruth Cheesley Date: Fri, 15 Jan 2021 13:19:52 +0000 Subject: [PATCH 3/5] Fix failing validation on numerical branch names --- mautic/core/CVE-2020-35124.yaml | 8 ++++---- mautic/core/CVE-2020-35125.yaml | 8 ++++---- mautic/core/CVE-2021-3142.yaml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/mautic/core/CVE-2020-35124.yaml b/mautic/core/CVE-2020-35124.yaml index 61726c38e..c6be37910 100644 --- a/mautic/core/CVE-2020-35124.yaml +++ b/mautic/core/CVE-2020-35124.yaml @@ -5,13 +5,13 @@ branches: features: time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 3.2: + '3.2': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 3.1: + '3.1': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 2.16: + '2.16': time: 2021-01-14 17:07:00 - versions: [ '<=2.16.4' ] + versions: ['<=2.16.4'] reference: composer://mautic/core diff --git a/mautic/core/CVE-2020-35125.yaml b/mautic/core/CVE-2020-35125.yaml index e40e5bbe6..44d9f5d24 100644 --- a/mautic/core/CVE-2020-35125.yaml +++ b/mautic/core/CVE-2020-35125.yaml @@ -5,13 +5,13 @@ branches: features: time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 3.2: + '3.2': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 3.1: + '3.1': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 2.16: + '2.16': time: 2021-01-14 17:07:00 - versions: [ '<=2.16.4' ] + versions: ['<=2.16.4'] reference: composer://mautic/core diff --git a/mautic/core/CVE-2021-3142.yaml b/mautic/core/CVE-2021-3142.yaml index ba00f322d..ab6c0f849 100644 --- a/mautic/core/CVE-2021-3142.yaml +++ b/mautic/core/CVE-2021-3142.yaml @@ -5,13 +5,13 @@ branches: features: time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 3.2: + '3.2': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 3.1: + '3.1': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] - 2.16: + '2.16': time: 2021-01-14 17:07:00 - versions: [ '<=2.16.4' ] + versions: ['<=2.16.4'] reference: composer://mautic/core From 02b78537ee0c086c5ce4e9bf3d236765132633b7 Mon Sep 17 00:00:00 2001 From: Ruth Cheesley Date: Fri, 15 Jan 2021 15:11:49 +0000 Subject: [PATCH 4/5] Fix failing validation on version numbers --- mautic/core/CVE-2020-35124.yaml | 2 +- mautic/core/CVE-2020-35125.yaml | 2 +- mautic/core/CVE-2021-3142.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/mautic/core/CVE-2020-35124.yaml b/mautic/core/CVE-2020-35124.yaml index c6be37910..5b1d32c89 100644 --- a/mautic/core/CVE-2020-35124.yaml +++ b/mautic/core/CVE-2020-35124.yaml @@ -13,5 +13,5 @@ branches: versions: ['<=3.2.3'] '2.16': time: 2021-01-14 17:07:00 - versions: ['<=2.16.4'] + versions: ['>=2.0.0', '<=2.16.4'] reference: composer://mautic/core diff --git a/mautic/core/CVE-2020-35125.yaml b/mautic/core/CVE-2020-35125.yaml index 44d9f5d24..9015d3362 100644 --- a/mautic/core/CVE-2020-35125.yaml +++ b/mautic/core/CVE-2020-35125.yaml @@ -13,5 +13,5 @@ branches: versions: ['<=3.2.3'] '2.16': time: 2021-01-14 17:07:00 - versions: ['<=2.16.4'] + versions: ['>=2.0.0', '<=2.16.4'] reference: composer://mautic/core diff --git a/mautic/core/CVE-2021-3142.yaml b/mautic/core/CVE-2021-3142.yaml index ab6c0f849..409be8352 100644 --- a/mautic/core/CVE-2021-3142.yaml +++ b/mautic/core/CVE-2021-3142.yaml @@ -13,5 +13,5 @@ branches: versions: ['<=3.2.3'] '2.16': time: 2021-01-14 17:07:00 - versions: ['<=2.16.4'] + versions: ['>=2.0.0', '<=2.16.4'] reference: composer://mautic/core From 3dd65daccafe35732a127cf41860b7ca9aecfbe9 Mon Sep 17 00:00:00 2001 From: Ruth Cheesley Date: Mon, 18 Jan 2021 10:28:07 +0000 Subject: [PATCH 5/5] remove features branch --- mautic/core/CVE-2020-35124.yaml | 3 --- mautic/core/CVE-2020-35125.yaml | 3 --- mautic/core/CVE-2021-3142.yaml | 3 --- 3 files changed, 9 deletions(-) diff --git a/mautic/core/CVE-2020-35124.yaml b/mautic/core/CVE-2020-35124.yaml index 5b1d32c89..a8ddda082 100644 --- a/mautic/core/CVE-2020-35124.yaml +++ b/mautic/core/CVE-2020-35124.yaml @@ -2,9 +2,6 @@ title: Mautic core - Highly Critical - XSS vulnerability leveraged through refer link: https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 cve: CVE-2020-35124 branches: - features: - time: 2021-01-14 17:07:00 - versions: ['<=3.2.3'] '3.2': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] diff --git a/mautic/core/CVE-2020-35125.yaml b/mautic/core/CVE-2020-35125.yaml index 9015d3362..6ad2235fe 100644 --- a/mautic/core/CVE-2020-35125.yaml +++ b/mautic/core/CVE-2020-35125.yaml @@ -2,9 +2,6 @@ title: Mautic core - Highly Critical - XSS vulnerability leveraged through refer link: https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 cve: CVE-2020-35125 branches: - features: - time: 2021-01-14 17:07:00 - versions: ['<=3.2.3'] '3.2': time: 2021-01-14 17:07:00 versions: ['<=3.2.3'] diff --git a/mautic/core/CVE-2021-3142.yaml b/mautic/core/CVE-2021-3142.yaml index 409be8352..c69290a24 100644 --- a/mautic/core/CVE-2021-3142.yaml +++ b/mautic/core/CVE-2021-3142.yaml @@ -2,9 +2,6 @@ title: Mautic core - Moderately Critical - XSS vulnerability when creating/editi link: https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 cve: CVE-2021-3142 branches: - features: - time: 2021-01-14 17:07:00 - versions: ['<=3.2.3'] '3.2': time: 2021-01-14 17:07:00 versions: ['<=3.2.3']