From 1abb3f07b07aff459771d8ca7177bbd539851b81 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 21 May 2024 12:00:33 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/36xxx/CVE-2024-36140.json | 18 ++++++++ 2024/3xxx/CVE-2024-3268.json | 75 +++++++++++++++++++++++++++++-- 2024/4xxx/CVE-2024-4361.json | 80 ++++++++++++++++++++++++++++++++-- 2024/4xxx/CVE-2024-4420.json | 61 ++++++++++++++++++++++++-- 2024/4xxx/CVE-2024-4619.json | 80 ++++++++++++++++++++++++++++++++-- 2024/4xxx/CVE-2024-4876.json | 80 ++++++++++++++++++++++++++++++++-- 2024/5xxx/CVE-2024-5168.json | 18 ++++++++ 7 files changed, 392 insertions(+), 20 deletions(-) create mode 100644 2024/36xxx/CVE-2024-36140.json create mode 100644 2024/5xxx/CVE-2024-5168.json diff --git a/2024/36xxx/CVE-2024-36140.json b/2024/36xxx/CVE-2024-36140.json new file mode 100644 index 00000000000..496dcda26aa --- /dev/null +++ b/2024/36xxx/CVE-2024-36140.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-36140", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/3xxx/CVE-2024-3268.json b/2024/3xxx/CVE-2024-3268.json index 053058853e5..d6b0840c133 100644 --- a/2024/3xxx/CVE-2024-3268.json +++ b/2024/3xxx/CVE-2024-3268.json @@ -1,17 +1,84 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-3268", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "emarket-design", + "product": { + "product_data": [ + { + "product_name": "YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plugin for WordPress", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "3.3.6" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e9d5382-d37d-4a40-8f22-e32b8ee98859?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e9d5382-d37d-4a40-8f22-e32b8ee98859?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3088363/youtube-showcase", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3088363/youtube-showcase" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Lucio S\u00e1" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/4xxx/CVE-2024-4361.json b/2024/4xxx/CVE-2024-4361.json index df4c55e54b6..a583e7feb85 100644 --- a/2024/4xxx/CVE-2024-4361.json +++ b/2024/4xxx/CVE-2024-4361.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-4361", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "gpriday", + "product": { + "product_data": [ + { + "product_name": "Page Builder by SiteOrigin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.29.15" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a97f72f6-86f7-45dc-908a-292ba735071d?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a97f72f6-86f7-45dc-908a-292ba735071d?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/siteorigin-panels/trunk/inc/widget-shortcode.php#L40", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/siteorigin-panels/trunk/inc/widget-shortcode.php#L40" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3086025/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3086025/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Matthew Rollings" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/4xxx/CVE-2024-4420.json b/2024/4xxx/CVE-2024-4420.json index 094eb3099db..fbfa113b0c3 100644 --- a/2024/4xxx/CVE-2024-4420.json +++ b/2024/4xxx/CVE-2024-4420.json @@ -1,18 +1,71 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-4420", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@google.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3.\u00a0 * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object.\n\n\n * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input containing many nested JSON objects. This may result in a stack overflow.\n\n\nWe recommend upgrading to version 2.1.3 or above" } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-116 Improper Encoding or Escaping of Output", + "cweId": "CWE-116" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Tink", + "product": { + "product_data": [ + { + "product_name": "Tink-cc", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "2.0.0", + "version_value": "2.1.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/tink-crypto/tink-cc/issues/4", + "refsource": "MISC", + "name": "https://github.com/tink-crypto/tink-cc/issues/4" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2024/4xxx/CVE-2024-4619.json b/2024/4xxx/CVE-2024-4619.json index af5bcbea4f0..350e6dc0b4d 100644 --- a/2024/4xxx/CVE-2024-4619.json +++ b/2024/4xxx/CVE-2024-4619.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-4619", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Elementor Website Builder \u2013 More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the \u2018hover_animation\u2019 parameter in versions up to, and including, 3.21.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "elemntor", + "product": { + "product_data": [ + { + "product_name": "Elementor Website Builder \u2013 More than Just a Page Builder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "3.21.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7e1028e-e04b-46c4-b574-889d9fc1069d?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7e1028e-e04b-46c4-b574-889d9fc1069d?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/elementor/trunk/includes/widgets/image-box.php#L696", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/elementor/trunk/includes/widgets/image-box.php#L696" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3089420", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3089420" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Craig Smith" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/4xxx/CVE-2024-4876.json b/2024/4xxx/CVE-2024-4876.json index ed62501acd0..897bf2fc826 100644 --- a/2024/4xxx/CVE-2024-4876.json +++ b/2024/4xxx/CVE-2024-4876.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-4876", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018popover_header_text\u2019 parameter in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "devitemsllc", + "product": { + "product_data": [ + { + "product_name": "HT Mega \u2013 Absolute Addons For Elementor", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.5.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39e104fa-591a-41e8-af7e-f8b32a199170?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39e104fa-591a-41e8-af7e-f8b32a199170?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.5.0/includes/widgets/htmega_popover.php#L891", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.5.0/includes/widgets/htmega_popover.php#L891" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3088899/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3088899/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "wesley" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/5xxx/CVE-2024-5168.json b/2024/5xxx/CVE-2024-5168.json new file mode 100644 index 00000000000..5493c49dc3a --- /dev/null +++ b/2024/5xxx/CVE-2024-5168.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-5168", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file