Add support for CVEs

README.md

@@ -9,6 +9,7 @@ Penetration Test report template written in [typst](https://typst.app).
 - Supports [CVSS V3.1](https://www.first.org/cvss/v3-1/)
 - Supports [TLP V2.0](https://www.first.org/tlp/)
 - Supports [MITRE ATT&CK](https://attack.mitre.org/) references
+- Supports [CVE](https://cve.mitre.org/) references
 
 ## Usage
 

addons/cve.typ

@@ -0,0 +1,14 @@
+#let isUsed = state("cveIsUsed", false)
+
+#let reference(name) = {
+  name = upper(name)
+  if not name.starts-with("CVE-") {
+    name = "CVE-" + name
+  }
+
+  text([
+    #name#footnote("https://www.cve.org/CVERecord?id=" + name)
+  ])
+
+  context(isUsed.update(true))
+}

findings.typ

@@ -1,3 +1,4 @@
+#import "addons/cve.typ"
 #import "addons/cvss.typ"
 #import "addons/mitre.typ"
 
@@ -28,7 +29,7 @@ When searching for administration interfaces, the applications `Uptime Kuma` at
 
 Both applications have a login screen and cannot be used by unauthorized visitors. Since administration accounts are set up during the initial configuration of the applications, it was not possible to log in using default credentials. A brute force attack was not performed to check for common passwords.
 
-The version of `Uptime Kuma` is not specified, while the version of `Nginx Proxy Manager` is 2.11.2 and free of publicly known vulnerabilities (CVEs).
+The version of `Uptime Kuma` is not specified, while the version of `Nginx Proxy Manager` is 2.11.2. This instance of `Nginx Proxy Manager` is not vulnerable to the Command Injection vulnerability referenced to as #cve.reference("2024-39935").
 
 This is referenced in MITRE's ATT&CK framework as #mitre.reference(name: "External Remote Services").