diff --git a/2024/10xxx/CVE-2024-10480.json b/2024/10xxx/CVE-2024-10480.json index 79d8d317425..4702ffba7d9 100644 --- a/2024/10xxx/CVE-2024-10480.json +++ b/2024/10xxx/CVE-2024-10480.json @@ -1,18 +1,80 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10480", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "contact@wpscan.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Unknown", + "product": { + "product_data": [ + { + "product_name": "3DPrint Lite", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "2.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://wpscan.com/vulnerability/725ac766-c849-49d6-a968-58fcc2e134c8/", + "refsource": "MISC", + "name": "https://wpscan.com/vulnerability/725ac766-c849-49d6-a968-58fcc2e134c8/" + } + ] + }, + "generator": { + "engine": "WPScan CVE Generator" + }, + "source": { + "discovery": "EXTERNAL" + }, + "credits": [ + { + "lang": "en", + "value": "Vuln Seeker Cybersecurity Team" + }, + { + "lang": "en", + "value": "WPScan" + } + ] } \ No newline at end of file diff --git a/2024/10xxx/CVE-2024-10551.json b/2024/10xxx/CVE-2024-10551.json index 72e4c50be4d..942480e9451 100644 --- a/2024/10xxx/CVE-2024-10551.json +++ b/2024/10xxx/CVE-2024-10551.json @@ -1,18 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10551", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "contact@wpscan.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Sticky Social Icons WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-Site Scripting (XSS)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Unknown", + "product": { + "product_data": [ + { + "product_name": "Sticky Social Icons", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "status": "affected", + "versionType": "semver", + "version": "0", + "lessThanOrEqual": "1.2.1" + } + ], + "defaultStatus": "affected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://wpscan.com/vulnerability/cd1aea4a-e5a6-4f87-805d-459b293bbf28/", + "refsource": "MISC", + "name": "https://wpscan.com/vulnerability/cd1aea4a-e5a6-4f87-805d-459b293bbf28/" + } + ] + }, + "generator": { + "engine": "WPScan CVE Generator" + }, + "source": { + "discovery": "EXTERNAL" + }, + "credits": [ + { + "lang": "en", + "value": "Krugov Aryom" + }, + { + "lang": "en", + "value": "WPScan" + } + ] } \ No newline at end of file diff --git a/2024/10xxx/CVE-2024-10578.json b/2024/10xxx/CVE-2024-10578.json index 342fd605ab5..f4bac0447ad 100644 --- a/2024/10xxx/CVE-2024-10578.json +++ b/2024/10xxx/CVE-2024-10578.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10578", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-434 Unrestricted Upload of File with Dangerous Type", + "cweId": "CWE-434" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "blazethemes", + "product": { + "product_data": [ + { + "product_name": "Pubnews", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.0.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7eaa0117-5320-431f-b3d2-05a867901528?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7eaa0117-5320-431f-b3d2-05a867901528?source=cve" + }, + { + "url": "https://themes.trac.wordpress.org/browser/pubnews/1.0.7/inc/admin/admin.php#L1017", + "refsource": "MISC", + "name": "https://themes.trac.wordpress.org/browser/pubnews/1.0.7/inc/admin/admin.php#L1017" + }, + { + "url": "https://themes.trac.wordpress.org/changeset/250743/pubnews/1.0.8?contextall=1&old=245552&old_path=%2Fpubnews%2F1.0.7", + "refsource": "MISC", + "name": "https://themes.trac.wordpress.org/changeset/250743/pubnews/1.0.8?contextall=1&old=245552&old_path=%2Fpubnews%2F1.0.7" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Kevin Murphy" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 8.8, + "baseSeverity": "HIGH" } ] } diff --git a/2024/11xxx/CVE-2024-11201.json b/2024/11xxx/CVE-2024-11201.json index 45bbb3e4d46..bc0453b20f1 100644 --- a/2024/11xxx/CVE-2024-11201.json +++ b/2024/11xxx/CVE-2024-11201.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11201", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The myCred \u2013 Loyalty Points and Rewards plugin for WordPress and WooCommerce \u2013 Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_send shortcode in all versions up to, and including, 2.7.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "wpexpertsio", + "product": { + "product_data": [ + { + "product_name": "myCred \u2013 Exclusive Platform for Loyalty Points and Rewards \u2013 Create Leaderboards, Ranks, Badges, Cashback Coupons, Referral Programs, WooCommerce & eCommerce wallet, Gamification Awards, and Achievements.", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.7.5.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d1d9bee-4afa-44cc-8e7a-8a73ad018c4a?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d1d9bee-4afa-44cc-8e7a-8a73ad018c4a?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/mycred/tags/2.7.5/includes/shortcodes/mycred_send.php#L63", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/mycred/tags/2.7.5/includes/shortcodes/mycred_send.php#L63" + }, + { + "url": "https://wordpress.org/plugins/mycred/#developers", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/mycred/#developers" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3203071/mycred/trunk/includes/shortcodes/mycred_send.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3203071/mycred/trunk/includes/shortcodes/mycred_send.php" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Peter Thaleikis" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11585.json b/2024/11xxx/CVE-2024-11585.json index fa10a7424fb..754bfcef7e3 100644 --- a/2024/11xxx/CVE-2024-11585.json +++ b/2024/11xxx/CVE-2024-11585.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11585", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The WP Hide & Security Enhancer plugin for WordPress is vulnerable to arbitrary file contents deletion due to a missing authorization and insufficient file path validation in the file-process.php in all versions up to, and including, 2.5.1. This makes it possible for unauthenticated attackers to delete the contents of arbitrary files on the server, which can break the site or lead to data loss." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "cweId": "CWE-22" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "nsp-code", + "product": { + "product_data": [ + { + "product_name": "WP Hide & Security Enhancer", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.5.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c7056e-39d8-467e-92ec-33a31e5dafc9?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c7056e-39d8-467e-92ec-33a31e5dafc9?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/wp-hide-security-enhancer/tags/2.5.1/router/file-process.php#L43", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/wp-hide-security-enhancer/tags/2.5.1/router/file-process.php#L43" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Michael Mazzolini" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "baseScore": 7.5, + "baseSeverity": "HIGH" } ] } diff --git a/2024/12xxx/CVE-2024-12298.json b/2024/12xxx/CVE-2024-12298.json new file mode 100644 index 00000000000..b480e20200e --- /dev/null +++ b/2024/12xxx/CVE-2024-12298.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-12298", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/8xxx/CVE-2024-8299.json b/2024/8xxx/CVE-2024-8299.json index c590c50faa2..e4af870c1bb 100644 --- a/2024/8xxx/CVE-2024-8299.json +++ b/2024/8xxx/CVE-2024-8299.json @@ -92,6 +92,11 @@ "url": "https://jvn.jp/vu/JVNVU93891820", "refsource": "MISC", "name": "https://jvn.jp/vu/JVNVU93891820" + }, + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04" } ] }, diff --git a/2024/8xxx/CVE-2024-8300.json b/2024/8xxx/CVE-2024-8300.json index 5084d982286..a5138e8eaa4 100644 --- a/2024/8xxx/CVE-2024-8300.json +++ b/2024/8xxx/CVE-2024-8300.json @@ -105,6 +105,11 @@ "url": "https://jvn.jp/vu/JVNVU93891820", "refsource": "MISC", "name": "https://jvn.jp/vu/JVNVU93891820" + }, + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04" } ] }, diff --git a/2024/9xxx/CVE-2024-9852.json b/2024/9xxx/CVE-2024-9852.json index af044b26546..19dff19e6cd 100644 --- a/2024/9xxx/CVE-2024-9852.json +++ b/2024/9xxx/CVE-2024-9852.json @@ -92,6 +92,11 @@ "url": "https://jvn.jp/vu/JVNVU93891820", "refsource": "MISC", "name": "https://jvn.jp/vu/JVNVU93891820" + }, + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04" } ] },