admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-08 03:27:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adds CVEs

Browse Source
This commit is contained in:
erwanlr 2021-05-24 10:43:51 +02:00
parent ca314d6a7b
commit 833664ef12
12 changed files with 900 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
2021/24xxx/CVE-2021-24294.json
View File

@ -1,18 +1,75 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24294",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24294",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Michael Leithold",
"product": {
"product_data": [
{
"product_name": "DSGVO All in one for WP",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "4.0",
"version_value": "4.0"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/43b8cfb4-f875-432b-8e3b-52653fdee87c",
"name": "https://wpscan.com/vulnerability/43b8cfb4-f875-432b-8e3b-52653fdee87c"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "dc11"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

89
2021/24xxx/CVE-2021-24296.json
View File

@ -1,18 +1,75 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24296",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24296",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "WP Customer Reviews < 3.5.6 - Authenticated Stored Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Go Web Solutions",
"product": {
"product_data": [
{
"product_name": "WP Customer Reviews",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "3.5.6",
"version_value": "3.5.6"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/c450f54a-3372-49b2-8ad8-68d5cc0dd49e",
"name": "https://wpscan.com/vulnerability/c450f54a-3372-49b2-8ad8-68d5cc0dd49e"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "Truoc Phan from Techlab Corporation"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

89
2021/24xxx/CVE-2021-24297.json
View File

@ -1,18 +1,75 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24297",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24297",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "Goto < 2.1 - Reflected Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Unknown",
"product": {
"product_data": [
{
"product_name": "Goto",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "2.1",
"version_value": "2.1"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/a64a3b2e-7924-47aa-96e8-3aa02a6cdccc",
"name": "https://wpscan.com/vulnerability/a64a3b2e-7924-47aa-96e8-3aa02a6cdccc"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "Truoc Phan from Techlab Corporation"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

94
2021/24xxx/CVE-2021-24298.json
View File

@ -1,18 +1,80 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24298",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24298",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Igor Benic",
"product": {
"product_data": [
{
"product_name": "Simple Giveaways Grow your business, email lists and traffic with contests",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "2.36.2",
"version_value": "2.36.2"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91",
"name": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91"
},
{
"refsource": "MISC",
"url": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/",
"name": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "Shreya Pohekar of Codevigilant Project"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

89
2021/24xxx/CVE-2021-24300.json
View File

@ -1,18 +1,75 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24300",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24300",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "PickPlugins",
"product": {
"product_data": [
{
"product_name": "PickPlugins Product Slider for WooCommerce",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "1.13.22",
"version_value": "1.13.22"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837",
"name": "https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "0xB9"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

89
2021/24xxx/CVE-2021-24301.json
View File

@ -1,18 +1,75 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24301",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24301",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Blue Medicine Labs",
"product": {
"product_data": [
{
"product_name": "Hotjar Connecticator",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "1.1.1",
"version_value": "1.1.1"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Hotjar Connecticator WordPress plugin through 1.1.1 is vulnerable to Stored Cross-Site Scripting (XSS) in the 'hotjar script' textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/eb8e2b9d-f153-49c9-862a-5c016934f9ad",
"name": "https://wpscan.com/vulnerability/eb8e2b9d-f153-49c9-862a-5c016934f9ad"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "Kishore Hariram"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

89
2021/24xxx/CVE-2021-24302.json
View File

@ -1,18 +1,75 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24302",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24302",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "HanaDaddy",
"product": {
"product_data": [
{
"product_name": "Hana Flv Player",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "3.1.3",
"version_value": "3.1.3"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Hana Flv Player WordPress plugin through 3.1.3 is vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the 'Default Skin' field."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/372a66ca-1c3c-4429-86a5-81dbdaa9ec7d",
"name": "https://wpscan.com/vulnerability/372a66ca-1c3c-4429-86a5-81dbdaa9ec7d"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "Kishore Hariram"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

94
2021/24xxx/CVE-2021-24305.json
View File

@ -1,18 +1,80 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24305",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24305",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "Target First Plugin 2.0 - Unauthenticated Stored XSS via Licence Key"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "TargetFirst",
"product": {
"product_data": [
{
"product_name": "Target First Plugin",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.0",
"version_value": "2.0"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the 'weeWzKey' parameter that will be save as the 'weeID option and is not sanitized."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/4d55d1f5-a7b8-4029-942d-7a13e2498f64",
"name": "https://wpscan.com/vulnerability/4d55d1f5-a7b8-4029-942d-7a13e2498f64"
},
{
"refsource": "MISC",
"url": "https://www.targetfirst.com/",
"name": "https://www.targetfirst.com/"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "Vincent MICHEL"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

89
2021/24xxx/CVE-2021-24306.json
View File

@ -1,18 +1,75 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24306",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24306",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "Ultimate Member < 2.1.20 - Authenticated Reflected Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Ultimate Member",
"product": {
"product_data": [
{
"product_name": "Ultimate Member User Profile, User Registration, Login & Membership Plugin",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "2.1.20",
"version_value": "2.1.20"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Ultimate Member User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/35516555-c50c-486a-886c-df49c9e51e2c",
"name": "https://wpscan.com/vulnerability/35516555-c50c-486a-886c-df49c9e51e2c"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "riki aji"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

94
2021/24xxx/CVE-2021-24307.json
View File

@ -1,18 +1,80 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24307",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24307",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "All in One SEO Team",
"product": {
"product_data": [
{
"product_name": "All in One SEO Best WordPress SEO Plugin Easily Improve Your SEO Rankings",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "4.1.0.2",
"version_value": "4.1.0.2"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The All in One SEO Best WordPress SEO Plugin Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with \"aioseo_tools_settings\" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section \"Tool > Import/Export\". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1",
"name": "https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1"
},
{
"refsource": "MISC",
"url": "https://aioseo.com/changelog/",
"name": "https://aioseo.com/changelog/"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-94 Improper Control of Generation of Code ('Code Injection')",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "Vincent MICHEL"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

94
2021/24xxx/CVE-2021-24308.json
View File

@ -1,18 +1,80 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24308",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24308",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "LifterLMS",
"product": {
"product_data": [
{
"product_name": "LMS by LifterLMS Online Course, Membership & Learning Management System Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "4.21.1",
"version_value": "4.21.1"
}
]
}
}
]
}
}
]
}
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The 'State' field of the Edit profile page of the LMS by LifterLMS Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/f29f68a5-6575-441d-98c9-867145f2b082",
"name": "https://wpscan.com/vulnerability/f29f68a5-6575-441d-98c9-867145f2b082"
},
{
"refsource": "MISC",
"url": "https://github.com/gocodebox/lifterlms/releases/tag/4.21.1",
"name": "https://github.com/gocodebox/lifterlms/releases/tag/4.21.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "captain_hook"
}
],
"source": {
"discovery": "UNKNOWN"
}
}

92
2021/24xxx/CVE-2021-24332.json
View File

@ -1,18 +1,80 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-24332",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
"CVE_data_meta": {
"ID": "CVE-2021-24332",
"ASSIGNER": "contact@wpscan.com",
"STATE": "PUBLIC",
"TITLE": "Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"generator": "WPScan CVE Generator",
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Unknown",
"product": {
"product_data": [
{
"product_name": "Autoptimize",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "2.8.4",
"version_value": "2.8.4"
}
]
}
}
]
}
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/6678e064-ce21-4bb2-8c50-061073fb22fb",
"name": "https://wpscan.com/vulnerability/6678e064-ce21-4bb2-8c50-061073fb22fb"
},
{
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-04-01]-[WordPress]-[CWE-79]-Autoptimize-WordPress-Plugin-v2.8.3.txt",
"name": "https://m0ze.ru/vulnerability/[2021-04-01]-[WordPress]-[CWE-79]-Autoptimize-WordPress-Plugin-v2.8.3.txt"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"value": "CWE-79 Cross-site Scripting (XSS)",
"lang": "eng"
}
]
}
]
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"source": {
"discovery": "UNKNOWN"
}
}