Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:nuget/Serenity.Net.Web@6.7.0

Type nuget

Namespace

Name Serenity.Net.Web

Version 6.7.0

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 6.7.0

Latest_non_vulnerable_version 6.7.0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-4d3e-jnb9-zuat

vulnerability_id VCID-4d3e-jnb9-zuat

summary

User account enumeration in Serenity
An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist.

references

reference_url	https://github.com/serenity-is/Serenity
reference_id
reference_type
scores
url	https://github.com/serenity-is/Serenity

reference_url	https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823a6e48d2
reference_id
reference_type
scores
url	https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823a6e48d2

reference_url	https://seclists.org/fulldisclosure/2023/May/14
reference_id
reference_type
scores
url	https://seclists.org/fulldisclosure/2023/May/14

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-31286
reference_id	CVE-2023-31286
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-31286

reference_url	https://github.com/advisories/GHSA-w7jm-9x4m-8qc3
reference_id	GHSA-w7jm-9x4m-8qc3
reference_type
scores
url	https://github.com/advisories/GHSA-w7jm-9x4m-8qc3

fixed_packages

url	pkg:nuget/Serenity.Net.Web@6.7.0
purl	pkg:nuget/Serenity.Net.Web@6.7.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:nuget/Serenity.Net.Web@6.7.0

aliases CVE-2023-31286, GHSA-w7jm-9x4m-8qc3

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4d3e-jnb9-zuat

url VCID-fbu3-1dn2-jybb

vulnerability_id VCID-fbu3-1dn2-jybb

summary

Insufficient token expiration in Serenity
An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.

references

reference_url	https://github.com/serenity-is/Serenity
reference_id
reference_type
scores
url	https://github.com/serenity-is/Serenity

reference_url	https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823a6e48d2
reference_id
reference_type
scores
url	https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823a6e48d2

reference_url	https://packetstorm.news/files/id/172648
reference_id
reference_type
scores
url	https://packetstorm.news/files/id/172648

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-31287
reference_id	CVE-2023-31287
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-31287

reference_url	https://github.com/advisories/GHSA-2hp9-3xfr-r9w2
reference_id	GHSA-2hp9-3xfr-r9w2
reference_type
scores
url	https://github.com/advisories/GHSA-2hp9-3xfr-r9w2

fixed_packages

url	pkg:nuget/Serenity.Net.Web@6.7.0
purl	pkg:nuget/Serenity.Net.Web@6.7.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:nuget/Serenity.Net.Web@6.7.0

aliases CVE-2023-31287, GHSA-2hp9-3xfr-r9w2

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fbu3-1dn2-jybb

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Serenity.Net.Web@6.7.0

Package Instance