From d70d51a98b5fd03d92acfb3e79b62fc995dc06d4 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 4 Jul 2024 04:00:40 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/2xxx/CVE-2024-2385.json | 80 +++++++++++++++++++++++-- 2024/2xxx/CVE-2024-2926.json | 110 +++++++++++++++++++++++++++++++++-- 2024/3xxx/CVE-2024-3638.json | 80 +++++++++++++++++++++++-- 2024/3xxx/CVE-2024-3639.json | 75 ++++++++++++++++++++++-- 2024/6xxx/CVE-2024-6387.json | 5 ++ 5 files changed, 334 insertions(+), 16 deletions(-) diff --git a/2024/2xxx/CVE-2024-2385.json b/2024/2xxx/CVE-2024-2385.json index 7a133eac977..4ae2185b75b 100644 --- a/2024/2xxx/CVE-2024-2385.json +++ b/2024/2xxx/CVE-2024-2385.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-2385", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.3.7 via several of the plugin's widgets through the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "livemesh", + "product": { + "product_data": [ + { + "product_name": "Elementor Addons by Livemesh", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "8.3.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0aa3ec9b-80d5-4e31-8045-43c8d151cab8?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0aa3ec9b-80d5-4e31-8045-43c8d151cab8?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.5/includes/helper-functions.php#L726", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.5/includes/helper-functions.php#L726" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.5/includes/widgets/heading.php#L267", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.5/includes/widgets/heading.php#L267" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "wesley" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 8.8, + "baseSeverity": "HIGH" } ] } diff --git a/2024/2xxx/CVE-2024-2926.json b/2024/2xxx/CVE-2024-2926.json index d73917e3bd9..962ae59f215 100644 --- a/2024/2xxx/CVE-2024-2926.json +++ b/2024/2xxx/CVE-2024-2926.json @@ -1,17 +1,119 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-2926", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "livemesh", + "product": { + "product_data": [ + { + "product_name": "Elementor Addons by Livemesh", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "8.3.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78e9beef-4d2b-4004-8db7-4963882e405b?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78e9beef-4d2b-4004-8db7-4963882e405b?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/carousel/loop.php#L47", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/carousel/loop.php#L47" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-slider/loop-start.php#L36", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-slider/loop-start.php#L36" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-multislider/loop-start.php#L45", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-multislider/loop-start.php#L45" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-gridbox-slider/loop-start.php#L32", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-gridbox-slider/loop-start.php#L32" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-carousel/loop-start.php#L44", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/posts-carousel/loop-start.php#L44" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/device-slider/loop.php#L34", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/device-slider/loop.php#L34" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/animated-text/loop.php#L45", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/animated-text/loop.php#L45" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/animated-text/loop.php#L40", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/8.3.6/templates/addons/animated-text/loop.php#L40" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "wesley" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/3xxx/CVE-2024-3638.json b/2024/3xxx/CVE-2024-3638.json index bb6d3173fe1..9cb555f2e82 100644 --- a/2024/3xxx/CVE-2024-3638.json +++ b/2024/3xxx/CVE-2024-3638.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-3638", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "livemesh", + "product": { + "product_data": [ + { + "product_name": "Elementor Addons by Livemesh", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "8.3.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58dfd766-7156-4aec-b8db-76908b775ba0?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58dfd766-7156-4aec-b8db-76908b775ba0?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/templates/addons/marquee-text/content.php#L24", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/templates/addons/marquee-text/content.php#L24" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/templates/addons/marquee-text/content.php#L28", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/templates/addons/marquee-text/content.php#L28" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Craig Smith" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/3xxx/CVE-2024-3639.json b/2024/3xxx/CVE-2024-3639.json index 5562f8b0bbe..491dd114204 100644 --- a/2024/3xxx/CVE-2024-3639.json +++ b/2024/3xxx/CVE-2024-3639.json @@ -1,17 +1,84 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-3639", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "livemesh", + "product": { + "product_data": [ + { + "product_name": "Elementor Addons by Livemesh", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "8.3.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9729ccc9-e3f1-4096-8430-22998b386cec?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9729ccc9-e3f1-4096-8430-22998b386cec?source=cve" + }, + { + "url": "https://wordpress.org/plugins/addons-for-elementor/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/addons-for-elementor/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Ng\u00f4 Thi\u00ean An" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/6xxx/CVE-2024-6387.json b/2024/6xxx/CVE-2024-6387.json index c241aa89e96..3149b1e4298 100644 --- a/2024/6xxx/CVE-2024-6387.json +++ b/2024/6xxx/CVE-2024-6387.json @@ -311,6 +311,11 @@ "url": "http://www.openwall.com/lists/oss-security/2024/07/03/11", "refsource": "MISC", "name": "http://www.openwall.com/lists/oss-security/2024/07/03/11" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/07/04/1", + "refsource": "MISC", + "name": "http://www.openwall.com/lists/oss-security/2024/07/04/1" } ] },