diff --git a/2023/0xxx/CVE-2023-0341.json b/2023/0xxx/CVE-2023-0341.json index b9117ae892f..968741f0986 100644 --- a/2023/0xxx/CVE-2023-0341.json +++ b/2023/0xxx/CVE-2023-0341.json @@ -40,8 +40,9 @@ "version": { "version_data": [ { - "version_value": "0", - "version_affected": "=" + "version_affected": "<", + "version_name": "0", + "version_value": "v0.12.6" } ] } @@ -68,6 +69,11 @@ "url": "https://ubuntu.com/security/notices/USN-5842-1", "refsource": "MISC", "name": "https://ubuntu.com/security/notices/USN-5842-1" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCFE7DXWAAKDJPRKMXHCACKGKNV37IYZ/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCFE7DXWAAKDJPRKMXHCACKGKNV37IYZ/" } ] }, diff --git a/2023/2xxx/CVE-2023-2298.json b/2023/2xxx/CVE-2023-2298.json index 108e3b10769..9a13fccb225 100644 --- a/2023/2xxx/CVE-2023-2298.json +++ b/2023/2xxx/CVE-2023-2298.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2298", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'business_id' parameter in versions up to, and including, 4.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "Online Booking & Scheduling Calendar for WordPress by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.2.10" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e6a0bf9-4767-4d4c-9a1e-adcb3c7719d9?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e6a0bf9-4767-4d4c-9a1e-adcb3c7719d9?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-api-functions.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-api-functions.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 7.2, + "baseSeverity": "HIGH" } ] } diff --git a/2023/2xxx/CVE-2023-2299.json b/2023/2xxx/CVE-2023-2299.json index b214f3a2fe8..8c8ac278c8c 100644 --- a/2023/2xxx/CVE-2023-2299.json +++ b/2023/2xxx/CVE-2023-2299.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2299", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "Online Booking & Scheduling Calendar for WordPress by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.2.10" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4855627a-de56-49ee-b0b0-01b9735d8557?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4855627a-de56-49ee-b0b0-01b9735d8557?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-api-functions.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-api-functions.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2300.json b/2023/2xxx/CVE-2023-2300.json index e31a0d54cec..48e0ab2dd62 100644 --- a/2023/2xxx/CVE-2023-2300.json +++ b/2023/2xxx/CVE-2023-2300.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2300", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 4.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "eyale-vc", + "product": { + "product_data": [ + { + "product_name": "Contact Form Builder by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.9.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/12ce97ba-8053-481f-bcd7-05d5e8292adb?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/12ce97ba-8053-481f-bcd7-05d5e8292adb?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/contact-form-with-a-meeting-scheduler-by-vcita/trunk/system/parse_vcita_callback.php#L55", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/contact-form-with-a-meeting-scheduler-by-vcita/trunk/system/parse_vcita_callback.php#L55" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2301.json b/2023/2xxx/CVE-2023-2301.json index e862d544ecd..a50f087c554 100644 --- a/2023/2xxx/CVE-2023-2301.json +++ b/2023/2xxx/CVE-2023-2301.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2301", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Contact Form Builder by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.1. This is due to missing nonce validation on the ls_parse_vcita_callback function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "eyale-vc", + "product": { + "product_data": [ + { + "product_name": "Contact Form Builder by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.9.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61c39f5f-3b17-4e4d-824e-241159a73400?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61c39f5f-3b17-4e4d-824e-241159a73400?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/contact-form-with-a-meeting-scheduler-by-vcita/trunk/system/parse_vcita_callback.php#L55", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/contact-form-with-a-meeting-scheduler-by-vcita/trunk/system/parse_vcita_callback.php#L55" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2302.json b/2023/2xxx/CVE-2023-2302.json index 74329bf385b..76e851b4d12 100644 --- a/2023/2xxx/CVE-2023-2302.json +++ b/2023/2xxx/CVE-2023-2302.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2302", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "Contact Form and Calls To Action by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.6.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4dfc237a-9157-4da9-ba8f-9daf2ba4f20b?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4dfc237a-9157-4da9-ba8f-9daf2ba4f20b?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2303.json b/2023/2xxx/CVE-2023-2303.json index 221e40ed129..34a6db10d62 100644 --- a/2023/2xxx/CVE-2023-2303.json +++ b/2023/2xxx/CVE-2023-2303.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2303", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.4. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "eyale-vc", + "product": { + "product_data": [ + { + "product_name": "Contact Form Builder by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.6.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2345c972-9fd4-4709-8bde-315ab54f60e2?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2345c972-9fd4-4709-8bde-315ab54f60e2?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2404.json b/2023/2xxx/CVE-2023-2404.json index 9397bb15515..e9556ff15e0 100644 --- a/2023/2xxx/CVE-2023-2404.json +++ b/2023/2xxx/CVE-2023-2404.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2404", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "CRM and Lead Management by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.6.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e26ccd06-22e0-4d91-a53a-df6ead8a8e3b?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e26ccd06-22e0-4d91-a53a-df6ead8a8e3b?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/crm-customer-relationship-management-by-vcita/trunk/vcita-callback.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/crm-customer-relationship-management-by-vcita/trunk/vcita-callback.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2405.json b/2023/2xxx/CVE-2023-2405.json index 37ea1990498..264b959d5ba 100644 --- a/2023/2xxx/CVE-2023-2405.json +++ b/2023/2xxx/CVE-2023-2405.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2405", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "CRM and Lead Management by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.6.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f75c6bf-1b93-49d5-b5fb-e59b4e67432f?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f75c6bf-1b93-49d5-b5fb-e59b4e67432f?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/crm-customer-relationship-management-by-vcita/trunk/vcita-callback.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/crm-customer-relationship-management-by-vcita/trunk/vcita-callback.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2406.json b/2023/2xxx/CVE-2023-2406.json index 62c631a981c..09c739ad711 100644 --- a/2023/2xxx/CVE-2023-2406.json +++ b/2023/2xxx/CVE-2023-2406.json @@ -1,17 +1,106 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2406", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments \u2013 Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "Event Registration Calendar By vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.3.1" + } + ] + } + }, + { + "product_name": "Online Payments \u2013 Get Paid with PayPal, Square & Stripe", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "3.9.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ab05954-9999-43ff-8e3c-a987e2da1956?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ab05954-9999-43ff-8e3c-a987e2da1956?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2407.json b/2023/2xxx/CVE-2023-2407.json index 7cd56ed5247..12e16e6f6b6 100644 --- a/2023/2xxx/CVE-2023-2407.json +++ b/2023/2xxx/CVE-2023-2407.json @@ -1,17 +1,106 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2407", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments \u2013 Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "Event Registration Calendar By vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.3.1" + } + ] + } + }, + { + "product_name": "Online Payments \u2013 Get Paid with PayPal, Square & Stripe", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "3.9.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/207b40fa-2062-48d6-990b-f05cbbf8fb8e?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/207b40fa-2062-48d6-990b-f05cbbf8fb8e?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2415.json b/2023/2xxx/CVE-2023-2415.json index eb7c482beb1..cb5d06a120f 100644 --- a/2023/2xxx/CVE-2023-2415.json +++ b/2023/2xxx/CVE-2023-2415.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2415", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to logout a vctia connected account which would cause a denial of service on the appointment scheduler." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "Online Booking & Scheduling Calendar for WordPress by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.2.10" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/731cbeed-d4aa-448f-878a-8c51a3da4e18?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/731cbeed-d4aa-448f-878a-8c51a3da4e18?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php#L55", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php#L55" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/2xxx/CVE-2023-2416.json b/2023/2xxx/CVE-2023-2416.json index dd206fc5259..6b57a208b8e 100644 --- a/2023/2xxx/CVE-2023-2416.json +++ b/2023/2xxx/CVE-2023-2416.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-2416", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for unauthenticated to logout a vctia connected account which would cause a denial of service on the appointment scheduler, via a forged request granted they can trick a site user into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "vcita", + "product": { + "product_data": [ + { + "product_name": "Online Booking & Scheduling Calendar for WordPress by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.2.10" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f434585c-8533-4788-b0bc-5650390c29a8?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f434585c-8533-4788-b0bc-5650390c29a8?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php#L55", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php#L55" + }, + { + "url": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita", + "refsource": "MISC", + "name": "https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jonas H\u00f6benreich" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/34xxx/CVE-2023-34151.json b/2023/34xxx/CVE-2023-34151.json index ca0f742ebc7..34c57116e67 100644 --- a/2023/34xxx/CVE-2023-34151.json +++ b/2023/34xxx/CVE-2023-34151.json @@ -58,6 +58,11 @@ "refsource": "MISC", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2210657", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210657" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-d53831b69d", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/" } ] }, diff --git a/2023/34xxx/CVE-2023-34152.json b/2023/34xxx/CVE-2023-34152.json index 74e9c101aca..379ea5dbc39 100644 --- a/2023/34xxx/CVE-2023-34152.json +++ b/2023/34xxx/CVE-2023-34152.json @@ -58,6 +58,11 @@ "refsource": "MISC", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2210659", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210659" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-d53831b69d", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/" } ] }, diff --git a/2023/34xxx/CVE-2023-34153.json b/2023/34xxx/CVE-2023-34153.json index 83a10dbabde..16fb2128f63 100644 --- a/2023/34xxx/CVE-2023-34153.json +++ b/2023/34xxx/CVE-2023-34153.json @@ -58,6 +58,11 @@ "refsource": "MISC", "name": "https://access.redhat.com/security/cve/CVE-2023-34153", "url": "https://access.redhat.com/security/cve/CVE-2023-34153" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-d53831b69d", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/" } ] },