diff --git a/2024/13xxx/CVE-2024-13887.json b/2024/13xxx/CVE-2024-13887.json index 0e9891d7dcc..cba6e2b9d90 100644 --- a/2024/13xxx/CVE-2024-13887.json +++ b/2024/13xxx/CVE-2024-13887.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-13887", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Business Directory Plugin \u2013 Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639 Authorization Bypass Through User-Controlled Key", + "cweId": "CWE-639" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "strategy11team", + "product": { + "product_data": [ + { + "product_name": "Business Directory Plugin \u2013 Easy Listing Directories for WordPress", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "6.4.14" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c3de6d-92e7-46f8-86a9-37f027767fc0?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c3de6d-92e7-46f8-86a9-37f027767fc0?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3249927/business-directory-plugin/trunk/includes/class-wpbdp.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3249927/business-directory-plugin/trunk/includes/class-wpbdp.php" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Rein Daelman" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/34xxx/CVE-2024-34517.json b/2024/34xxx/CVE-2024-34517.json index 6b5e561c105..43d79ae4809 100644 --- a/2024/34xxx/CVE-2024-34517.json +++ b/2024/34xxx/CVE-2024-34517.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "The Cypher component in Neo4j between v.5.0.0 and v.5.19.0 mishandles IMMUTABLE" + "value": "The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access." } ] }, diff --git a/2025/22xxx/CVE-2025-22954.json b/2025/22xxx/CVE-2025-22954.json index 5979af2f7f0..749356759f2 100644 --- a/2025/22xxx/CVE-2025-22954.json +++ b/2025/22xxx/CVE-2025-22954.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "Koha <= 21.11 is contains a SQL Injection vulnerability in /serials/lateissues-export.pl via the supplierid parameter." + "value": "GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter." } ] }, @@ -56,6 +56,11 @@ "refsource": "CONFIRM", "name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38829", "url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38829" + }, + { + "refsource": "CONFIRM", + "name": "https://koha-community.org/koha-24-11-02-released/", + "url": "https://koha-community.org/koha-24-11-02-released/" } ] } diff --git a/2025/2xxx/CVE-2025-2250.json b/2025/2xxx/CVE-2025-2250.json index 997b636a798..23116ebbd1e 100644 --- a/2025/2xxx/CVE-2025-2250.json +++ b/2025/2xxx/CVE-2025-2250.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-2250", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "sminozzi", + "product": { + "product_data": [ + { + "product_name": "WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.32" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/602bf9b1-17a9-441a-b12d-15412df2deb4?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/602bf9b1-17a9-441a-b12d-15412df2deb4?source=cve" + }, + { + "url": "https://plugins.svn.wordpress.org/reportattacks/tags/2.32/includes/list-tables/class-reportattacks-list-table.php", + "refsource": "MISC", + "name": "https://plugins.svn.wordpress.org/reportattacks/tags/2.32/includes/list-tables/class-reportattacks-list-table.php" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3254851%40reportattacks&new=3254851%40reportattacks&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3254851%40reportattacks&new=3254851%40reportattacks&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Dzmitry Sviatlichny" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "baseScore": 4.9, + "baseSeverity": "MEDIUM" } ] }