From 07f33fa216dd46fe1024cdf90363c0124da1004d Mon Sep 17 00:00:00 2001 From: CVE Team Date: Fri, 31 Jan 2025 03:00:36 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/13xxx/CVE-2024-13396.json | 81 ++++++++++++++++++++++++++++++++-- 2024/13xxx/CVE-2024-13397.json | 76 +++++++++++++++++++++++++++++-- 2024/13xxx/CVE-2024-13399.json | 76 +++++++++++++++++++++++++++++-- 2024/13xxx/CVE-2024-13767.json | 76 +++++++++++++++++++++++++++++-- 2024/13xxx/CVE-2024-13817.json | 8 ++-- 2025/0xxx/CVE-2025-0924.json | 18 ++++++++ 2025/0xxx/CVE-2025-0925.json | 18 ++++++++ 7 files changed, 333 insertions(+), 20 deletions(-) create mode 100644 2025/0xxx/CVE-2025-0924.json create mode 100644 2025/0xxx/CVE-2025-0925.json diff --git a/2024/13xxx/CVE-2024-13396.json b/2024/13xxx/CVE-2024-13396.json index 1932fa1d6f3..1971120f755 100644 --- a/2024/13xxx/CVE-2024-13396.json +++ b/2024/13xxx/CVE-2024-13396.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13396", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Frictionless plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'frictionless_form' shortcode[s] in all versions up to, and including, 0.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "spgajjar", + "product": { + "product_data": [ + { + "product_name": "Frictionless", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "0.0.23" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1ec9dce-d0fb-4b7b-a8e4-4ccb474c9d57?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1ec9dce-d0fb-4b7b-a8e4-4ccb474c9d57?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/frictionless/trunk/frictionless.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/frictionless/trunk/frictionless.php" + }, + { + "url": "https://wordpress.org/plugins/frictionless/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/frictionless/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "zakaria" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/13xxx/CVE-2024-13397.json b/2024/13xxx/CVE-2024-13397.json index 321420fca27..b35db154fc8 100644 --- a/2024/13xxx/CVE-2024-13397.json +++ b/2024/13xxx/CVE-2024-13397.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13397", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The WPRadio \u2013 WordPress Radio Streaming Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpradio_player' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "casterfm", + "product": { + "product_data": [ + { + "product_name": "WPRadio \u2013 WordPress Radio Streaming Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.0.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f153174a-1226-4c16-ba8b-637be1d7e742?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f153174a-1226-4c16-ba8b-637be1d7e742?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/wpradio/trunk/Frontend/Frontend.php#L140", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/wpradio/trunk/Frontend/Frontend.php#L140" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "zakaria" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/13xxx/CVE-2024-13399.json b/2024/13xxx/CVE-2024-13399.json index 95ed48aad70..42a98576eb4 100644 --- a/2024/13xxx/CVE-2024-13399.json +++ b/2024/13xxx/CVE-2024-13399.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13399", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Gosign \u2013 Posts Slider Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'posts-slider-block' block in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "gosign", + "product": { + "product_data": [ + { + "product_name": "Gosign \u2013 Posts Slider Block", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0778c676-92e6-4813-a564-06463fc84eec?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0778c676-92e6-4813-a564-06463fc84eec?source=cve" + }, + { + "url": "https://wordpress.org/plugins/gosign-posts-slider-block/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/gosign-posts-slider-block/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Nirmal" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/13xxx/CVE-2024-13767.json b/2024/13xxx/CVE-2024-13767.json index 47410bb1747..59566e949ec 100644 --- a/2024/13xxx/CVE-2024-13767.json +++ b/2024/13xxx/CVE-2024-13767.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13767", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "jiangweifang", + "product": { + "product_data": [ + { + "product_name": "Live2DWebCanvas", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.9.11" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23c89d9f-8958-4333-8604-54173c31efac?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23c89d9f-8958-4333-8604-54173c31efac?source=cve" + }, + { + "url": "https://wordpress.org/plugins/live-2d/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/live-2d/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Lucio S\u00e1" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", + "baseScore": 8.1, + "baseSeverity": "HIGH" } ] } diff --git a/2024/13xxx/CVE-2024-13817.json b/2024/13xxx/CVE-2024-13817.json index 86b10aa1f26..0973829d536 100644 --- a/2024/13xxx/CVE-2024-13817.json +++ b/2024/13xxx/CVE-2024-13817.json @@ -1,17 +1,17 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13817", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2025/0xxx/CVE-2025-0924.json b/2025/0xxx/CVE-2025-0924.json new file mode 100644 index 00000000000..4332b9cce3b --- /dev/null +++ b/2025/0xxx/CVE-2025-0924.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2025-0924", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2025/0xxx/CVE-2025-0925.json b/2025/0xxx/CVE-2025-0925.json new file mode 100644 index 00000000000..e4a92d4f7e4 --- /dev/null +++ b/2025/0xxx/CVE-2025-0925.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2025-0925", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file