diff --git a/2024/11xxx/CVE-2024-11218.json b/2024/11xxx/CVE-2024-11218.json index 01af2b64825..31686a0ca91 100644 --- a/2024/11xxx/CVE-2024-11218.json +++ b/2024/11xxx/CVE-2024-11218.json @@ -56,6 +56,14 @@ { "version_value": "not down converted", "x_cve_json_5_version_data": { + "versions": [ + { + "version": "2:1.37.6-1.el9_5", + "lessThan": "*", + "versionType": "rpm", + "status": "unaffected" + } + ], "defaultStatus": "affected" } } @@ -119,6 +127,11 @@ "refsource": "MISC", "name": "https://access.redhat.com/errata/RHSA-2025:0922" }, + { + "url": "https://access.redhat.com/errata/RHSA-2025:0923", + "refsource": "MISC", + "name": "https://access.redhat.com/errata/RHSA-2025:0923" + }, { "url": "https://access.redhat.com/security/cve/CVE-2024-11218", "refsource": "MISC", diff --git a/2024/13xxx/CVE-2024-13356.json b/2024/13xxx/CVE-2024-13356.json index 3c90d52583f..932e2874527 100644 --- a/2024/13xxx/CVE-2024-13356.json +++ b/2024/13xxx/CVE-2024-13356.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13356", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation in the user_remove_form.php file. This makes it possible for unauthenticated attackers to delete admin user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "mlfactory", + "product": { + "product_data": [ + { + "product_name": "DSGVO All in one for WP", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.6" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2efe885d-7e17-4057-abde-37482047facb?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2efe885d-7e17-4057-abde-37482047facb?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/dsgvo-all-in-one-for-wp/trunk/core/inc/user_remove_form.php#L25", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/dsgvo-all-in-one-for-wp/trunk/core/inc/user_remove_form.php#L25" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3233492/dsgvo-all-in-one-for-wp/trunk/core/inc/user_remove_form.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3233492/dsgvo-all-in-one-for-wp/trunk/core/inc/user_remove_form.php" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Khayal Farzaliyev" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/13xxx/CVE-2024-13510.json b/2024/13xxx/CVE-2024-13510.json index a701682aedd..3f3a2f1fbee 100644 --- a/2024/13xxx/CVE-2024-13510.json +++ b/2024/13xxx/CVE-2024-13510.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13510", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The ShopSite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "shopsite", + "product": { + "product_data": [ + { + "product_name": "ShopSite", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.5.10" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2fde092-0a12-42ab-abbb-7f5ff5de9af2?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2fde092-0a12-42ab-abbb-7f5ff5de9af2?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3226553%40shopsite-plugin%2Ftrunk&old=3139879%40shopsite-plugin%2Ftrunk&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3226553%40shopsite-plugin%2Ftrunk&old=3139879%40shopsite-plugin%2Ftrunk&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "SOPROBRO" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/13xxx/CVE-2024-13529.json b/2024/13xxx/CVE-2024-13529.json index afa955268b1..ca92a9e6823 100644 --- a/2024/13xxx/CVE-2024-13529.json +++ b/2024/13xxx/CVE-2024-13529.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13529", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The SocialV - Social Network and Community BuddyPress Theme theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'socialv_send_download_file' function in all versions up to, and including, 2.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download arbitrary files from the target system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "iqonicdesign", + "product": { + "product_data": [ + { + "product_name": "SocialV - Social Network and Community BuddyPress Theme", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.0.15" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0b766a-b7fd-4950-9868-de3308123229?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0b766a-b7fd-4950-9868-de3308123229?source=cve" + }, + { + "url": "https://assets.iqonic.design/documentation/wordpress/socialv-doc/index.html#changelog", + "refsource": "MISC", + "name": "https://assets.iqonic.design/documentation/wordpress/socialv-doc/index.html#changelog" + }, + { + "url": "https://themeforest.net/item/socialv-community-buddypress-theme/38612588", + "refsource": "MISC", + "name": "https://themeforest.net/item/socialv-community-buddypress-theme/38612588" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Lucio S\u00e1" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/13xxx/CVE-2024-13733.json b/2024/13xxx/CVE-2024-13733.json index f89a76423ab..d37a7ba217c 100644 --- a/2024/13xxx/CVE-2024-13733.json +++ b/2024/13xxx/CVE-2024-13733.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13733", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The SKT Blocks \u2013 Gutenberg based Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's skt-blocks/post-carousel block in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "sonalsinha21", + "product": { + "product_data": [ + { + "product_name": "SKT Blocks \u2013 Gutenberg based Page Builder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a84999-bd1b-4b86-9fa1-09c20b50ce37?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a84999-bd1b-4b86-9fa1-09c20b50ce37?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/skt-blocks/trunk/src/blocks/post-carousel/index.php#L751", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/skt-blocks/trunk/src/blocks/post-carousel/index.php#L751" + }, + { + "url": "https://wordpress.org/plugins/skt-blocks", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/skt-blocks" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3233980/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3233980/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Djaidja Moundjid" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/40xxx/CVE-2024-40890.json b/2024/40xxx/CVE-2024-40890.json index 157ea6402d5..c0aa891b227 100644 --- a/2024/40xxx/CVE-2024-40890.json +++ b/2024/40xxx/CVE-2024-40890.json @@ -1,17 +1,87 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-40890", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@zyxel.com.tw", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** UNSUPPPORTED WHEN ASSIGNED ** **UNSUPPORTED WHEN ASSIGNED**\nA post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + "cweId": "CWE-78" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Zyxel", + "product": { + "product_data": [ + { + "product_name": "VMG4325-B10A firmware", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "<= 1.00(AAFR.4)C0_20170615" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025", + "refsource": "MISC", + "name": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2025/23xxx/CVE-2025-23015.json b/2025/23xxx/CVE-2025-23015.json index a512d1f4f83..ccf06c11864 100644 --- a/2025/23xxx/CVE-2025-23015.json +++ b/2025/23xxx/CVE-2025-23015.json @@ -1,18 +1,109 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-23015", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.\n\nThis issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.\n\nUsers are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-267 Privilege Defined With Unsafe Actions", + "cweId": "CWE-267" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Apache Software Foundation", + "product": { + "product_data": [ + { + "product_name": "Apache Cassandra", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "3.0.0", + "version_value": "3.0.30" + }, + { + "version_affected": "<=", + "version_name": "3.1.0", + "version_value": "3.11.17" + }, + { + "version_affected": "<=", + "version_name": "4.0.0", + "version_value": "4.0.15" + }, + { + "version_affected": "<=", + "version_name": "4.1.0", + "version_value": "4.1.7" + }, + { + "version_affected": "<=", + "version_name": "5.0.0", + "version_value": "5.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s", + "refsource": "MISC", + "name": "https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "credits": [ + { + "lang": "en", + "value": "Adam Pond of Apple Services Engineering Security" + }, + { + "lang": "en", + "value": "Ali Mirheidari of Apple Services Engineering Security" + }, + { + "lang": "en", + "value": "Terry Thibault of Apple Services Engineering Security" + }, + { + "lang": "en", + "value": "Will Brattain of Apple Services Engineering Security" + } + ] } \ No newline at end of file