diff --git a/data/anchore/2018/CVE-2018-5158.json b/data/anchore/2018/CVE-2018-5158.json index 7e817ac3..48b42f52 100644 --- a/data/anchore/2018/CVE-2018-5158.json +++ b/data/anchore/2018/CVE-2018-5158.json @@ -76,6 +76,25 @@ "versionType": "npm" } ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:kevinbazira:algori_pdf_viwer:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "algori-pdf-viwer", + "packageType": "wordpress-plugin", + "product": "Algori PDF Viewer", + "repo": "https://plugins.svn.wordpress.org/algori-pdf-viewer", + "vendor": "Kevin Bazira", + "versions": [ + { + "lessThan": "1.0.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] } ], "providerMetadata": { @@ -86,11 +105,14 @@ { "url": "https://github.com/advisories/GHSA-7jg2-jgv3-fmr4" }, + { + "url": "https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97" + }, { "url": "https://github.com/mozilla/pdf.js/pull/9659" }, { - "url": "https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97" + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd66329-098e-4adf-b66f-d82a47720629?source=cve" } ] } diff --git a/data/anchore/2020/CVE-2020-36834.json b/data/anchore/2020/CVE-2020-36834.json new file mode 100644 index 00000000..441b0fc4 --- /dev/null +++ b/data/anchore/2020/CVE-2020-36834.json @@ -0,0 +1,36 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2020-36834", + "description": "The Discount Rules for WooCommerce plugin for WordPress is vulnerable to missing authorization via several AJAX actions in versions up to, and including, 2.0.2 due to missing capability checks on various functions. This makes it possible for subscriber-level attackers to execute various actions and perform a wide variety of actions such as modifying rules and saving configurations.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/articles/multiple-vulnerabilities-in-discount-rules-for-woocommerce-plugin/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/33cf27ba-a01b-4e34-9584-b1d3fc87af34?source=cve" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:flycart:discount_rules_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "woo-discount-rules", + "product": "Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons", + "vendor": "flycart", + "versions": [ + { + "lessThan": "2.1.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2023/CVE-2023-32297.json b/data/anchore/2023/CVE-2023-32297.json new file mode 100644 index 00000000..a2ba155f --- /dev/null +++ b/data/anchore/2023/CVE-2023-32297.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2023-32297", + "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LWS LWS Affiliation allows PHP Local File Inclusion.This issue affects LWS Affiliation: from n/a through 2.2.6.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/lws-affiliation/wordpress-lws-affiliation-plugin-2-2-6-local-file-inclusion-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 2.3 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:lws:affiliation:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "lws-affiliation", + "packageType": "wordpress-plugin", + "product": "LWS Affiliation", + "repo": "https://plugins.svn.wordpress.org/lws-affiliation", + "vendor": "LWS", + "versions": [ + { + "lessThan": "2.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7b1871d-9d26-4bdc-bd20-0535143902d4?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-0766.json b/data/anchore/2024/CVE-2024-0766.json new file mode 100644 index 00000000..dc140870 --- /dev/null +++ b/data/anchore/2024/CVE-2024-0766.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-0766", + "description": "The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/996c7433-dd82-4216-86b9-005f43c06c3a?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "envo-elementor-for-woocommerce", + "packageType": "wordpress-plugin", + "product": "Envo's Elementor Templates & Widgets for WooCommerce", + "vendor": "envothemes", + "versions": [ + { + "lessThan": "1.4.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-0767.json b/data/anchore/2024/CVE-2024-0767.json new file mode 100644 index 00000000..481546d2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-0767.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-0767", + "description": "The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajax_plugin_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php#L332", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/cca71257-05dc-43d5-8de6-faf0a2feab2e?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "envo-elementor-for-woocommerce", + "packageType": "wordpress-plugin", + "product": "Envo's Elementor Templates & Widgets for WooCommerce", + "vendor": "envothemes", + "versions": [ + { + "lessThan": "1.4.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-0768.json b/data/anchore/2024/CVE-2024-0768.json new file mode 100644 index 00000000..7ba9be8e --- /dev/null +++ b/data/anchore/2024/CVE-2024-0768.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-0768", + "description": "The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the ajax_theme_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php#L367", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/6504ae5c-a36d-495e-aa93-40a3753857c6?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "envo-elementor-for-woocommerce", + "packageType": "wordpress-plugin", + "product": "Envo's Elementor Templates & Widgets for WooCommerce", + "vendor": "envothemes", + "versions": [ + { + "lessThan": "1.4.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10187.json b/data/anchore/2024/CVE-2024-10187.json new file mode 100644 index 00000000..db48b313 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10187.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10187", + "description": "The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_link shortcode in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3183178/", + "https://wordpress.org/plugins/mycred/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/23a081d4-443d-4b3b-8c89-9eb0e23c961e?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:mycred:mycred:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "mycred", + "packageType": "wordpress-plugin", + "product": "myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification", + "repo": "https://plugins.svn.wordpress.org/mycred", + "vendor": "wpexpertsio", + "versions": [ + { + "lessThan": "2.7.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10261.json b/data/anchore/2024/CVE-2024-10261.json new file mode 100644 index 00000000..2bac96bb --- /dev/null +++ b/data/anchore/2024/CVE-2024-10261.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10261", + "description": "The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3182968/paid-member-subscriptions", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf19371-7b06-45c6-bf16-6ef7dfffb175?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:cozmoslabs:membership_\\&_content_restriction_-_paid_member_subscriptions:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "paid-member-subscriptions", + "packageType": "wordpress-plugin", + "product": "Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction", + "vendor": "madalinungureanu", + "versions": [ + { + "lessThan": "2.13.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10265.json b/data/anchore/2024/CVE-2024-10265.json new file mode 100644 index 00000000..f115d125 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10265.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10265", + "description": "The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/form-maker/trunk/wd/includes/notices.php#L199", + "https://plugins.trac.wordpress.org/changeset/3183170/", + "https://wordpress.org/plugins/form-maker/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb1a2c2-581d-47ed-a180-9f70fdf79066?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:10web:form_maker:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:web-dorado:form_maker:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "form-maker", + "packageType": "wordpress-plugin", + "product": "Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder", + "vendor": "10web", + "versions": [ + { + "lessThan": "1.15.31", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10269.json b/data/anchore/2024/CVE-2024-10269.json new file mode 100644 index 00000000..5d8980ef --- /dev/null +++ b/data/anchore/2024/CVE-2024-10269.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10269", + "description": "The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3181757/", + "https://wordpress.org/plugins/easy-svg/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/5fbc0866-1e9d-457a-8ef3-fb046c89c1dd?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:benjaminzekavica:easy_svg_support:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "easy-svg", + "packageType": "wordpress-plugin", + "product": "Easy SVG Support", + "vendor": "benjamin_zekavica", + "versions": [ + { + "lessThan": "3.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10325.json b/data/anchore/2024/CVE-2024-10325.json new file mode 100644 index 00000000..ef5d3327 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10325.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10325", + "description": "The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.6.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3182862/", + "https://wordpress.org/plugins/header-footer-elementor/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/7773fd3a-2417-415e-97b0-735e99e62097?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:brainstormforce:elementor_-_header\\,_footer_\\&_blocks_template:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "header-footer-elementor", + "packageType": "wordpress-plugin", + "product": "Elementor Header & Footer Builder", + "vendor": "brainstormforce", + "versions": [ + { + "lessThan": "1.6.46", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10352.json b/data/anchore/2024/CVE-2024-10352.json new file mode 100644 index 00000000..83e41e20 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10352.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10352", + "description": "The Magical Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the get_content_type function in includes/widgets/content-reveal.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3182827/magical-addons-for-elementor", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/8aa2ba7f-c33d-4e80-b1cf-2d7b2a497f04?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpthemespace:magical_addons_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "magical-addons-for-elementor", + "packageType": "wordpress-plugin", + "product": "Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )", + "vendor": "nalam-1", + "versions": [ + { + "lessThan": "1.2.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10547.json b/data/anchore/2024/CVE-2024-10547.json new file mode 100644 index 00000000..3fe401d2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10547.json @@ -0,0 +1,36 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10547", + "description": "The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://codecanyon.net/item/wp-membership/10066554", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/664e6e2a-faa1-4609-b250-d7e94c5d5a04?source=cve" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:e-plugins:wp_membership:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wp-membership", + "product": "WP Membership", + "vendor": "e-plugins", + "versions": [ + { + "lessThan": "1.6.3", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10589.json b/data/anchore/2024/CVE-2024-10589.json new file mode 100644 index 00000000..caa61933 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10589.json @@ -0,0 +1,36 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10589", + "description": "The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the import_settings() function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://codecanyon.net/item/leopard-wordpress-offload-media/23728788", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0b50597-18c1-4cbc-aebb-348f4d786ad9?source=cve" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:nouthemes:leopard:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "leopard-wordpress-offload-media", + "product": "Leopard - WordPress Offload Media", + "vendor": "nouthemes", + "versions": [ + { + "lessThan": "3.1.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10640.json b/data/anchore/2024/CVE-2024-10640.json new file mode 100644 index 00000000..5c1341dc --- /dev/null +++ b/data/anchore/2024/CVE-2024-10640.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10640", + "description": "The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3183018%40woocommerce-currency-switcher&old=3178647%40woocommerce-currency-switcher&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb0dffa-02a2-4193-b2c4-4774091eacfa?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:pluginus:fox_-_currency_switcher_professional_for_woocommerce:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:pluginus:woocommerce_currency_switcher:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "woocommerce-currency-switcher", + "packageType": "wordpress-plugin", + "product": "FOX – Currency Switcher Professional for WooCommerce", + "vendor": "realmag777", + "versions": [ + { + "lessThan": "1.4.2.3", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10683.json b/data/anchore/2024/CVE-2024-10683.json new file mode 100644 index 00000000..089d849d --- /dev/null +++ b/data/anchore/2024/CVE-2024-10683.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10683", + "description": "The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review notice is present in the dashboard.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.3.1/includes/admin/notices.php#L46", + "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.3.1/includes/admin/notices.php#L48", + "https://plugins.trac.wordpress.org/changeset/3182753/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/49e741c9-0cc7-4a62-a920-4fd997bee280?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpplugin:paypal_\\&_stripe_add-on:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "contact-form-7-paypal-add-on", + "packageType": "wordpress-plugin", + "product": "Contact Form 7 – PayPal & Stripe Add-on", + "vendor": "scottpaterson", + "versions": [ + { + "lessThan": "2.3.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10770.json b/data/anchore/2024/CVE-2024-10770.json new file mode 100644 index 00000000..0d62ebd0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10770.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10770", + "description": "The Envo Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.3 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3182181%40envo-extra&new=3182181%40envo-extra&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/08b0f5e0-f68a-4fea-9d62-468956012a6d?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:envothemes:envo_extra:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "envo-extra", + "packageType": "wordpress-plugin", + "product": "Envo Extra", + "vendor": "envothemes", + "versions": [ + { + "lessThan": "1.9.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10779.json b/data/anchore/2024/CVE-2024-10779.json new file mode 100644 index 00000000..c41c3109 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10779.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10779", + "description": "The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.0 via the 'ce_template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wordpress.org/plugins/cowidgets-elementor-addons/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec005f9f-3f63-4d73-9bd5-dc9c4c4b8bfe?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:codeless:cowidgets_-_elementor:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:codeless:cowidgets_elementor_addons:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "cowidgets-elementor-addons", + "packageType": "wordpress-plugin", + "product": "Cowidgets – Elementor Addons", + "vendor": "codelessthemes", + "versions": [ + { + "lessThanOrEqual": "1.2.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10814.json b/data/anchore/2024/CVE-2024-10814.json new file mode 100644 index 00000000..34a88036 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10814.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10814", + "description": "The Code Embed plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5 via the ce_get_file() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/add-embeds.php#L145", + "https://plugins.trac.wordpress.org/changeset/3182609/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e1e17c9-b9ee-495a-be49-9aa88f8023a2?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:davidartiss:code_embed:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "simple-embed-code", + "packageType": "wordpress-plugin", + "product": "Code Embed", + "vendor": "dartiss", + "versions": [ + { + "lessThan": "2.5.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10876.json b/data/anchore/2024/CVE-2024-10876.json new file mode 100644 index 00000000..039d87fd --- /dev/null +++ b/data/anchore/2024/CVE-2024-10876.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10876", + "description": "The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.8.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.2/includes/admin/donations/class-charitable-donation-list-table.php#L318", + "https://plugins.trac.wordpress.org/changeset/3183944/charitable/trunk/includes/admin/donations/class-charitable-donation-list-table.php", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/68014bb5-b2ef-4e2f-9c47-85e555ded5a7?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpcharitable:charitable:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "charitable", + "packageType": "wordpress-plugin", + "product": "Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More", + "repo": "https://plugins.svn.wordpress.org/charitable", + "vendor": "smub", + "versions": [ + { + "lessThan": "1.8.3.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10958.json b/data/anchore/2024/CVE-2024-10958.json new file mode 100644 index 00000000..92d89a54 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10958.json @@ -0,0 +1,42 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10958", + "description": "The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/8.8.08.004/wppa-ajax.php#L1238", + "https://plugins.trac.wordpress.org/changeset/3184852/", + "https://wordpress.org/plugins/wp-photo-album-plus/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/53bb0871-343a-4299-9902-682c422152d1?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wp_photo_album_plus_project:wp_photo_album_plus:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:wppa.opajaap:wp-photo-album-plus:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:wppa:wp_photo_album_plus:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wp-photo-album-plus", + "packageType": "wordpress-plugin", + "product": "WP Photo Album Plus", + "vendor": "opajaap", + "versions": [ + { + "lessThan": "8.9.01.001", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-2043.json b/data/anchore/2024/CVE-2024-2043.json new file mode 100644 index 00000000..29fba8da --- /dev/null +++ b/data/anchore/2024/CVE-2024-2043.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-2043", + "description": "The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when downloading form submissions in all versions up to, and including, 2.9.9.7. This makes it possible for unauthenticated attackers to view form submissions.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/all-contact-form-integration-for-elementor/trunk/includes/export_csv.php#L14", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3056456%40all-contact-form-integration-for-elementor%2Ftrunk&old=3021680%40all-contact-form-integration-for-elementor%2Ftrunk&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a40ed3c-1f4b-4bf7-b6f4-fc1e145cc989?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:theinnovs:eleforms:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "all-contact-form-integration-for-elementor", + "packageType": "wordpress-plugin", + "product": "EleForms – All In One Form Integration including DB for Elementor", + "vendor": "cscode", + "versions": [ + { + "lessThan": "2.9.9.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-2082.json b/data/anchore/2024/CVE-2024-2082.json new file mode 100644 index 00000000..2b3e4976 --- /dev/null +++ b/data/anchore/2024/CVE-2024-2082.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-2082", + "description": "The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3056456%40all-contact-form-integration-for-elementor%2Ftrunk&old=3021680%40all-contact-form-integration-for-elementor%2Ftrunk&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/cefcd612-0ba8-4225-8f23-817b7220ee7b?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:theinnovs:eleforms:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "all-contact-form-integration-for-elementor", + "packageType": "wordpress-plugin", + "product": "EleForms – All In One Form Integration including DB for Elementor", + "vendor": "cscode", + "versions": [ + { + "lessThan": "2.9.9.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-2136.json b/data/anchore/2024/CVE-2024-2136.json new file mode 100644 index 00000000..5c683b03 --- /dev/null +++ b/data/anchore/2024/CVE-2024-2136.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-2136", + "description": "The WPKoi Templates for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3046089/wpkoi-templates-for-elementor", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/31f7ae51-2fb2-4311-bc78-7198d6e6b623?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpkoi:wpkoi_templates_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wpkoi-templates-for-elementor", + "packageType": "wordpress-plugin", + "product": "WPKoi Templates for Elementor", + "vendor": "wpkoithemes", + "versions": [ + { + "lessThan": "2.5.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-2890.json b/data/anchore/2024/CVE-2024-2890.json new file mode 100644 index 00000000..d78df173 --- /dev/null +++ b/data/anchore/2024/CVE-2024-2890.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-2890", + "description": "Unrestricted Upload of File with Dangerous Type vulnerability in Tumult Inc. Tumult Hype Animations.This issue affects Tumult Hype Animations: from n/a through 1.9.12.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/tumult-hype-animations/wordpress-tumult-hype-animations-plugin-1-9-12-arbitrary-file-upload-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.9.13 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:tumult:tumult_hype_animations:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "tumult-hype-animations", + "packageType": "wordpress-plugin", + "product": "Tumult Hype Animations", + "repo": "https://plugins.svn.wordpress.org/tumult-hype-animations", + "vendor": "Tumult Inc.", + "versions": [ + { + "lessThan": "1.9.13", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb267bbd-cd62-49f7-9abc-c6734b23be22?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-30460.json b/data/anchore/2024/CVE-2024-30460.json new file mode 100644 index 00000000..60f59e9d --- /dev/null +++ b/data/anchore/2024/CVE-2024-30460.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-30460", + "description": "Cross-Site Request Forgery (CSRF) vulnerability in Tumult Inc Tumult Hype Animations.This issue affects Tumult Hype Animations: from n/a through 1.9.11.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/tumult-hype-animations/wordpress-tumult-hype-animations-plugin-1-9-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.9.12 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:tumult:tumult_hype_animations:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "tumult-hype-animations", + "packageType": "wordpress-plugin", + "product": "Tumult Hype Animations", + "repo": "https://plugins.svn.wordpress.org/tumult-hype-animations", + "vendor": "Tumult Inc", + "versions": [ + { + "lessThan": "1.9.12", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-35167.json b/data/anchore/2024/CVE-2024-35167.json new file mode 100644 index 00000000..986f30a0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-35167.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-35167", + "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnvoThemes Envo's Elementor Templates & Widgets for WooCommerce allows Stored XSS.This issue affects Envo's Elementor Templates & Widgets for WooCommerce: from n/a through 1.4.8.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/envo-elementor-for-woocommerce/wordpress-envo-s-elementor-templates-widgets-for-woocommerce-plugin-1-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.4.9 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "envo-elementor-for-woocommerce", + "packageType": "wordpress-plugin", + "product": "Envo's Elementor Templates & Widgets for WooCommerce", + "repo": "https://plugins.svn.wordpress.org/envo-elementor-for-woocommerce", + "vendor": "EnvoThemes", + "versions": [ + { + "lessThan": "1.4.9", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b09a3b74-a359-456a-b945-f6173f579e9b?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-37960.json b/data/anchore/2024/CVE-2024-37960.json new file mode 100644 index 00000000..128eee55 --- /dev/null +++ b/data/anchore/2024/CVE-2024-37960.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-37960", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Chris Coyier CodePen Embedded Pens Shortcode allows Stored XSS.This issue affects CodePen Embedded Pens Shortcode: from n/a through 1.0.0.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/codepen-embedded-pen-shortcode/wordpress-codepen-embedded-pens-shortcode-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.0.1 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:codepen:codepen:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "codepen-embedded-pen-shortcode", + "packageType": "wordpress-plugin", + "product": "CodePen Embedded Pens Shortcode", + "repo": "https://plugins.svn.wordpress.org/codepen-embedded-pen-shortcode", + "vendor": "Chris Coyier", + "versions": [ + { + "lessThan": "1.0.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c27f566a-913e-498e-90bb-113692b74612?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-38748.json b/data/anchore/2024/CVE-2024-38748.json new file mode 100644 index 00000000..47e6e42a --- /dev/null +++ b/data/anchore/2024/CVE-2024-38748.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-38748", + "description": "Access Control vulnerability in TheInnovs EleForms allows .\n\nThis issue affects EleForms: from n/a through 2.9.9.9.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/all-contact-form-integration-for-elementor/wordpress-eleforms-plugin-2-9-9-9-broken-access-control-vulnerability?_s_id=cve" + ], + "solutions": [ + "Deactivate and delete. This plugin has been closed as of July 10, 2024 and is not available for download." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:theinnovs:eleforms:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "all-contact-form-integration-for-elementor", + "packageType": "wordpress-plugin", + "product": "EleForms", + "repo": "https://plugins.svn.wordpress.org/all-contact-form-integration-for-elementor", + "vendor": "TheInnovs", + "versions": [ + { + "lessThanOrEqual": "2.9.9.9", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2162601a-3b94-4d6b-959e-99ba68d1271a?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43147.json b/data/anchore/2024/CVE-2024-43147.json new file mode 100644 index 00000000..83ddb410 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43147.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43147", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Merkulove Selection Lite allows Stored XSS.This issue affects Selection Lite: from n/a through 1.11.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/selection-lite/wordpress-selection-lite-plugin-1-11-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.12 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:merkulove:selection_lite:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "selection-lite", + "packageType": "wordpress-plugin", + "product": "Selection Lite", + "repo": "https://plugins.svn.wordpress.org/selection-lite", + "vendor": "Merkulove", + "versions": [ + { + "lessThan": "1.12", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74bbe655-ce86-4a87-a79f-f25bd0680e49?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43292.json b/data/anchore/2024/CVE-2024-43292.json new file mode 100644 index 00000000..bf9ce596 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43292.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43292", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EnvoThemes Envo's Elementor Templates & Widgets for WooCommerce allows Stored XSS.This issue affects Envo's Elementor Templates & Widgets for WooCommerce: from n/a through 1.4.16.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/envo-elementor-for-woocommerce/wordpress-envo-s-elementor-templates-widgets-for-woocommerce-plugin-1-4-16-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.4.17 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "envo-elementor-for-woocommerce", + "packageType": "wordpress-plugin", + "product": "Envo's Elementor Templates & Widgets for WooCommerce", + "repo": "https://plugins.svn.wordpress.org/envo-elementor-for-woocommerce", + "vendor": "EnvoThemes", + "versions": [ + { + "lessThan": "1.4.17", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7abb5103-7063-4a8d-8ca0-66074954acd5?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43311.json b/data/anchore/2024/CVE-2024-43311.json new file mode 100644 index 00000000..e50e6283 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43311.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43311", + "description": "Improper Privilege Management vulnerability in Geek Code Lab Login As Users allows Privilege Escalation.This issue affects Login As Users: from n/a through 1.4.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/login-as-users/wordpress-login-as-users-plugin-1-4-2-broken-authentication-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.4.3 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:geekcodelab:login_as_users:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "login-as-users", + "packageType": "wordpress-plugin", + "product": "Login As Users", + "repo": "https://plugins.svn.wordpress.org/login-as-users", + "vendor": "Geek Code Lab", + "versions": [ + { + "lessThan": "1.4.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73a0d7a9-374b-430d-a7e5-3c7cdaff5785?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-4980.json b/data/anchore/2024/CVE-2024-4980.json new file mode 100644 index 00000000..2d114704 --- /dev/null +++ b/data/anchore/2024/CVE-2024-4980.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-4980", + "description": "The WPKoi Templates for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'id', 'mixColor', 'backgroundColor', 'saveInCookies', and 'autoMatchOsTheme' parameters in all versions up to, and including, 2.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/wpkoi-templates-for-elementor/trunk/elements/elements/advanced-heading/advanced-heading.php#L626", + "https://plugins.trac.wordpress.org/browser/wpkoi-templates-for-elementor/trunk/elements/elements/darkmode/darkmode.php#L291", + "https://plugins.trac.wordpress.org/browser/wpkoi-templates-for-elementor/trunk/elements/elements/qr-code/qr-code.php#L110", + "https://plugins.trac.wordpress.org/changeset/3088306/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/6054a885-e67a-4731-93ea-64d7f90d9ea8?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpkoi:wpkoi_templates_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wpkoi-templates-for-elementor", + "packageType": "wordpress-plugin", + "product": "WPKoi Templates for Elementor", + "vendor": "wpkoithemes", + "versions": [ + { + "lessThan": "2.5.11", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50378.json b/data/anchore/2024/CVE-2024-50378.json new file mode 100644 index 00000000..986149df --- /dev/null +++ b/data/anchore/2024/CVE-2024-50378.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-50378", + "description": "Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/apache/airflow/pull/43123", + "https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pypi.org", + "cpes": [ + "cpe:2.3:a:apache:airflow:*:*:*:*:*:python:*:*" + ], + "packageName": "apache-airflow", + "packageType": "python", + "product": "Apache Airflow", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "2.10.3", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51580.json b/data/anchore/2024/CVE-2024-51580.json new file mode 100644 index 00000000..adabf59f --- /dev/null +++ b/data/anchore/2024/CVE-2024-51580.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51580", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CleverSoft Clever Addons for Elementor allows Stored XSS.This issue affects Clever Addons for Elementor: from n/a through 2.2.1.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/cafe-lite/wordpress-clever-addons-for-elementor-plugin-2-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:clever-soft:clever_addons_for_elementor:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:cleversoft:clever_addons_for_elementor:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:download_clever_addons_for_elementor_project:download_clever_addons_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "cafe-lite", + "packageType": "wordpress-plugin", + "product": "Clever Addons for Elementor", + "repo": "https://plugins.svn.wordpress.org/cafe-lite", + "vendor": "CleverSoft", + "versions": [ + { + "lessThanOrEqual": "2.2.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85afaef5-e19d-4052-ba72-89518f33b462?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51614.json b/data/anchore/2024/CVE-2024-51614.json new file mode 100644 index 00000000..063faca5 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51614.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51614", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aajoda Aajoda Testimonials allows Stored XSS.This issue affects Aajoda Testimonials: from n/a through 2.2.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/aajoda-testimonials/wordpress-aajoda-testimonials-plugin-2-2-2-stored-cross-site-scripting-xss-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:aajoda:aajoda_testimonials:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "aajoda-testimonials", + "packageType": "wordpress-plugin", + "product": "Aajoda Testimonials", + "repo": "https://plugins.svn.wordpress.org/aajoda-testimonials", + "vendor": "Aajoda", + "versions": [ + { + "lessThanOrEqual": "2.2.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2000a8b-85e4-4031-a24b-a6e0ced774cc?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51662.json b/data/anchore/2024/CVE-2024-51662.json new file mode 100644 index 00000000..05f673f7 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51662.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51662", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Modernaweb Studio Black Widgets For Elementor allows Stored XSS.This issue affects Black Widgets For Elementor: from n/a through 1.3.6.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/black-widgets/wordpress-black-widgets-for-elementor-plugin-1-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.3.7 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:modernaweb:black_widgets_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "black-widgets", + "packageType": "wordpress-plugin", + "product": "Black Widgets For Elementor", + "repo": "https://plugins.svn.wordpress.org/black-widgets", + "vendor": "Modernaweb Studio", + "versions": [ + { + "lessThan": "1.3.7", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b95b72e-b986-4492-9537-74fecf5e93a8?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51664.json b/data/anchore/2024/CVE-2024-51664.json new file mode 100644 index 00000000..5f36a061 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51664.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51664", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mark Kinchin Beds24 Online Booking allows Stored XSS.This issue affects Beds24 Online Booking: from n/a through 2.0.25.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/beds24-online-booking/wordpress-beds24-online-booking-plugin-2-0-25-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 2.0.26 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:beds24:online_booking:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "beds24-online-booking", + "packageType": "wordpress-plugin", + "product": "Beds24 Online Booking", + "repo": "https://plugins.svn.wordpress.org/beds24-online-booking", + "vendor": "Mark Kinchin", + "versions": [ + { + "lessThan": "2.0.26", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d249bc4-1230-4d85-8b29-e00a9cb80434?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51668.json b/data/anchore/2024/CVE-2024-51668.json new file mode 100644 index 00000000..9a6c030c --- /dev/null +++ b/data/anchore/2024/CVE-2024-51668.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51668", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mark Tilly MyCurator Content Curation allows Stored XSS.This issue affects MyCurator Content Curation: from n/a through 3.78.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/mycurator/wordpress-mycurator-content-curation-plugin-3-78-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 3.79 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:mycurator_content_curation_project:mycurator_content_curation:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "mycurator", + "packageType": "wordpress-plugin", + "product": "MyCurator Content Curation", + "repo": "https://plugins.svn.wordpress.org/mycurator", + "vendor": "Mark Tilly", + "versions": [ + { + "lessThan": "3.79", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/383a49c2-3239-44ee-b36b-116b73dce9f2?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51670.json b/data/anchore/2024/CVE-2024-51670.json new file mode 100644 index 00000000..21a022c5 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51670.json @@ -0,0 +1,47 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51670", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Stored XSS.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.7.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/js-support-ticket/wordpress-js-help-desk-plugin-2-8-7-stored-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 2.8.8 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:joomsky:js_help_desk:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:wiselyhub:js_help_desk:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "js-support-ticket", + "packageType": "wordpress-plugin", + "product": "JS Help Desk – Best Help Desk & Support Plugin", + "repo": "https://plugins.svn.wordpress.org/js-support-ticket", + "vendor": "JS Help Desk", + "versions": [ + { + "lessThan": "2.8.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da2dd641-6f98-4258-a758-2bfc831b3898?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51673.json b/data/anchore/2024/CVE-2024-51673.json new file mode 100644 index 00000000..42e34a60 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51673.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51673", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HasThemes HT Politic allows DOM-Based XSS.This issue affects HT Politic: from n/a through 2.4.4.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/wp-politic/wordpress-ht-politic-plugin-2-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 2.4.5 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:hasthemes:ht_politic:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wp-politic", + "packageType": "wordpress-plugin", + "product": "HT Politic", + "repo": "https://plugins.svn.wordpress.org/wp-politic", + "vendor": "HasThemes", + "versions": [ + { + "lessThan": "2.4.5", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/062844b8-5d19-447f-86df-7b084fa275cb?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51697.json b/data/anchore/2024/CVE-2024-51697.json new file mode 100644 index 00000000..f13d42e1 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51697.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51697", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Doofinder allows Reflected XSS.This issue affects Doofinder: from n/a through 0.5.4.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/doofinder/wordpress-doofinder-plugin-0-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:doofinder:doofinder:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "doofinder", + "packageType": "wordpress-plugin", + "product": "Doofinder", + "repo": "https://plugins.svn.wordpress.org/doofinder", + "vendor": "Doofinder", + "versions": [ + { + "lessThanOrEqual": "0.5.4", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51786.json b/data/anchore/2024/CVE-2024-51786.json new file mode 100644 index 00000000..54838ccd --- /dev/null +++ b/data/anchore/2024/CVE-2024-51786.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51786", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BestWebSoft Realty by BestWebSoft allows Stored XSS.This issue affects Realty by BestWebSoft: from n/a through 1.1.5.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/realty/wordpress-realty-by-bestwebsoft-plugin-1-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.1.6 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:bestwebsoft:realty:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "realty", + "packageType": "wordpress-plugin", + "product": "Realty by BestWebSoft", + "repo": "https://plugins.svn.wordpress.org/realty", + "vendor": "BestWebSoft", + "versions": [ + { + "lessThan": "1.1.6", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51787.json b/data/anchore/2024/CVE-2024-51787.json new file mode 100644 index 00000000..6a7214b4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51787.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-51787", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in QuomodoSoft ElementsReady Addons for Elementor allows Stored XSS.This issue affects ElementsReady Addons for Elementor: from n/a through 6.4.3.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/element-ready-lite/wordpress-elementsready-addons-for-elementor-plugin-6-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 6.4.4 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:quomodosoft:elementsready:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "element-ready-lite", + "packageType": "wordpress-plugin", + "product": "ElementsReady Addons for Elementor", + "repo": "https://plugins.svn.wordpress.org/element-ready-lite", + "vendor": "QuomodoSoft", + "versions": [ + { + "lessThan": "6.4.4", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52000.json b/data/anchore/2024/CVE-2024-52000.json new file mode 100644 index 00000000..95c8a1ae --- /dev/null +++ b/data/anchore/2024/CVE-2024-52000.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52000", + "description": "Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*" + ], + "packageName": "combodo/itop", + "product": "iTop", + "repo": "https://github.com/combodo/itop", + "vendor": "Combodo", + "versions": [ + { + "lessThan": "3.2.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52001.json b/data/anchore/2024/CVE-2024-52001.json new file mode 100644 index 00000000..8857a87b --- /dev/null +++ b/data/anchore/2024/CVE-2024-52001.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52001", + "description": "Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*" + ], + "packageName": "combodo/itop", + "product": "iTop", + "repo": "https://github.com/combodo/itop", + "vendor": "Combodo", + "versions": [ + { + "lessThan": "3.2.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52002.json b/data/anchore/2024/CVE-2024-52002.json new file mode 100644 index 00000000..b5fcac22 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52002.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52002", + "description": "Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*" + ], + "packageName": "combodo/itop", + "product": "iTop", + "repo": "https://github.com/combodo/itop", + "vendor": "Combodo", + "versions": [ + { + "lessThan": "3.2.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52007.json b/data/anchore/2024/CVE-2024-52007.json new file mode 100644 index 00000000..6c83aa8a --- /dev/null +++ b/data/anchore/2024/CVE-2024-52007.json @@ -0,0 +1,158 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52007", + "description": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j", + "https://cwe.mitre.org/data/definitions/611.html", + "https://github.com/hapifhir/org.hl7.fhir.core/issues/1571", + "https://github.com/hapifhir/org.hl7.fhir.core/pull/1717", + "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf", + "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.core:*:*:*:*:*:maven:*:*" + ], + "packageName": "ca.uhn.hapi.fhir:org.hl7.fhir.core", + "packageType": "maven", + "product": "org.hl7.fhir.core", + "repo": "https://github.com/hapifhir/org.hl7.fhir.core", + "vendor": "hapifhir", + "versions": [ + { + "lessThan": "6.4.0", + "status": "affected", + "version": "0", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.utilities:*:*:*:*:*:maven:*:*" + ], + "packageName": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities", + "packageType": "maven", + "product": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities", + "repo": "https://github.com/hapifhir/org.hl7.fhir.core", + "vendor": "hapifhir", + "versions": [ + { + "lessThan": "6.4.0", + "status": "affected", + "version": "0", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.r5:*:*:*:*:*:maven:*:*" + ], + "packageName": "ca.uhn.hapi.fhir:org.hl7.fhir.r5", + "packageType": "maven", + "product": "ca.uhn.hapi.fhir:org.hl7.fhir.r5", + "repo": "https://github.com/hapifhir/org.hl7.fhir.core", + "vendor": "hapifhir", + "versions": [ + { + "lessThan": "6.4.0", + "status": "affected", + "version": "0", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.r4b:*:*:*:*:*:maven:*:*" + ], + "packageName": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b", + "packageType": "maven", + "product": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b", + "repo": "https://github.com/hapifhir/org.hl7.fhir.core", + "vendor": "hapifhir", + "versions": [ + { + "lessThan": "6.4.0", + "status": "affected", + "version": "0", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.r4:*:*:*:*:*:maven:*:*" + ], + "packageName": "ca.uhn.hapi.fhir:org.hl7.fhir.r4", + "packageType": "maven", + "product": "ca.uhn.hapi.fhir:org.hl7.fhir.r4", + "repo": "https://github.com/hapifhir/org.hl7.fhir.core", + "vendor": "hapifhir", + "versions": [ + { + "lessThan": "6.4.0", + "status": "affected", + "version": "0", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.dstu3:*:*:*:*:*:maven:*:*" + ], + "packageName": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3", + "packageType": "maven", + "product": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3", + "repo": "https://github.com/hapifhir/org.hl7.fhir.core", + "vendor": "hapifhir", + "versions": [ + { + "lessThan": "6.4.0", + "status": "affected", + "version": "0", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may:*:*:*:*:*:maven:*:*" + ], + "packageName": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may", + "packageType": "maven", + "product": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may", + "repo": "https://github.com/hapifhir/org.hl7.fhir.core", + "vendor": "hapifhir", + "versions": [ + { + "lessThan": "6.4.0", + "status": "affected", + "version": "0", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52009.json b/data/anchore/2024/CVE-2024-52009.json new file mode 100644 index 00000000..4a5823e0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52009.json @@ -0,0 +1,42 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52009", + "description": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://argo-cd.readthedocs.io/en/stable/operator-manual/security", + "https://github.com/runatlantis/atlantis/issues/4060", + "https://github.com/runatlantis/atlantis/pull/4667", + "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0", + "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:runatlantis:atlantis:*:*:*:*:*:go:*:*" + ], + "packageName": "github.com/runatlantis/atlantis", + "packageType": "go-module", + "product": "atlantis", + "repo": "https://github.com/runatlantis/atlantis", + "vendor": "runatlantis", + "versions": [ + { + "lessThan": "0.30.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-7791.json b/data/anchore/2024/CVE-2024-7791.json new file mode 100644 index 00000000..a06d2a76 --- /dev/null +++ b/data/anchore/2024/CVE-2024-7791.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-7791", + "description": "The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arrow’ parameter within the Post Grid widget in all versions up to, and including, 1.4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/post-grid/post-grid.php#L1891", + "https://plugins.trac.wordpress.org/changeset/3141892/", + "https://plugins.trac.wordpress.org/changeset/3141892/#file2", + "https://wordpress.org/plugins/xpro-elementor-addons/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6025dd5-a1d7-48cc-90b3-f020d3d2298b?source=cve" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:wpxpro:xpro_addons_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "xpro-elementor-addons", + "product": "140+ Widgets | Xpro Addons For Elementor – FREE", + "vendor": "xpro", + "versions": [ + { + "lessThan": "1.4.4.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8960.json b/data/anchore/2024/CVE-2024-8960.json new file mode 100644 index 00000000..7bb9d288 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8960.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-8960", + "description": "The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/cowidgets-elementor-addons/trunk/inc/widgets-manager/class-widgets-loader.php#L324", + "https://wordpress.org/plugins/cowidgets-elementor-addons/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/fac90d55-9ae2-48a8-b82b-fe1626556c7b?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:codeless:cowidgets_-_elementor:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:codeless:cowidgets_elementor_addons:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "cowidgets-elementor-addons", + "packageType": "wordpress-plugin", + "product": "Cowidgets – Elementor Addons", + "vendor": "codelessthemes", + "versions": [ + { + "lessThanOrEqual": "1.2.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9165.json b/data/anchore/2024/CVE-2024-9165.json index b4d3d152..d274399f 100644 --- a/data/anchore/2024/CVE-2024-9165.json +++ b/data/anchore/2024/CVE-2024-9165.json @@ -23,7 +23,7 @@ "vendor": "codemenschen", "versions": [ { - "lessThanOrEqual": "4.4.4", + "lessThan": "4.4.5", "status": "affected", "version": "0", "versionType": "semver" diff --git a/data/anchore/2024/CVE-2024-9262.json b/data/anchore/2024/CVE-2024-9262.json new file mode 100644 index 00000000..20e0f585 --- /dev/null +++ b/data/anchore/2024/CVE-2024-9262.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-9262", + "description": "The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/user-meta/trunk/models/classes/generate/PublicProfile.php#L28", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed81348-7604-4858-bc8e-b4504d77ee45?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:user-meta:user_meta_user_profile_builder_and_user_management:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "user-meta", + "packageType": "wordpress-plugin", + "product": "User Meta – User Profile Builder and User management plugin", + "vendor": "khaledsaikat", + "versions": [ + { + "lessThanOrEqual": "3.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file