Ran GHSA sync script and got 2 modified and 1 new

jasnow · postmodern · commit 56d950eb0f59 · 2023-06-03T14:20:56.000-07:00
diff --git a/gems/actionpack/CVE-2011-1497.yml b/gems/actionpack/CVE-2011-1497.yml
@@ -10,6 +10,7 @@ description: |
   A cross-site scripting vulnerability flaw was found in
   the auto_link function in Rails before version 3.0.6.
 cvss_v2: 4.3
+cvss_v3: 6.1
 patched_versions:
   - ">= 3.0.6"
 related:
diff --git a/gems/camaleon_cms/CVE-2023-30145.yml b/gems/camaleon_cms/CVE-2023-30145.yml
@@ -0,0 +1,25 @@
+---
+gem: camaleon_cms
+cve: 2023-30145
+ghsa: x487-866m-p8hr
+url: http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html
+title: Server-Side Template Injection in Camaleon CMS
+date: 2023-05-26
+description: |
+  Camaleon CMS prior to 2.7.4 was discovered to contain a Server-Side
+  Template Injection (SSTI) vulnerability via the `formats` parameter.
+cvss_v3: 9.8
+patched_versions:
+  - ">= 2.7.4"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-30145
+    - https://github.com/paragbagul111/CVE-2023-30145
+    - http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html
+    - https://github.com/owen2345/camaleon-cms/issues/1052
+    - https://github.com/owen2345/camaleon-cms/commit/4485788c544eb1aae52ca613bd9626129e3df6ee
+    - https://github.com/owen2345/camaleon-cms/releases/tag/2.7.4
+    - https://drive.google.com/file/d/11MsSYqUnDRFjcwbQKJeL9Q8nWpgVYf2r/view?usp=share_link
+    - https://portswigger.net/research/server-side-template-injection
+    - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
+    - https://github.com/advisories/GHSA-x487-866m-p8hr
diff --git a/gems/jquery-rails/CVE-2019-11358.yml b/gems/jquery-rails/CVE-2019-11358.yml
@@ -2,18 +2,18 @@
 gem: jquery-rails
 framework: rails
 cve: 2019-11358
-date: 2019-04-19
+ghsa: 6c3j-c64m-qhgq
 url: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
 title: Prototype pollution attack through jQuery $.extend
+date: 2019-04-19
 description: |
   jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of
   bject.prototype pollution. If an unsanitized source object contained an
   enumerable __proto__ property, it could extend the native Object.prototype.
 cvss_v2: 4.3
 cvss_v3: 6.1
 patched_versions:
-  - '>= 4.3.4'
-
+  - ">= 4.3.4"
 related:
   url:
     - https://hackerone.com/reports/454365
