From d84a1f53e47c0a95e9473b9ef1258b1a8f61d4ef Mon Sep 17 00:00:00 2001 From: CVE Team Date: Sat, 4 Jan 2025 12:01:03 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/12xxx/CVE-2024-12195.json | 81 ++++++++++++++++++++++++++++++++-- 2024/12xxx/CVE-2024-12279.json | 81 ++++++++++++++++++++++++++++++++-- 2024/12xxx/CVE-2024-12475.json | 81 ++++++++++++++++++++++++++++++++-- 3 files changed, 231 insertions(+), 12 deletions(-) diff --git a/2024/12xxx/CVE-2024-12195.json b/2024/12xxx/CVE-2024-12195.json index f1b96d983df..55099968a6b 100644 --- a/2024/12xxx/CVE-2024-12195.json +++ b/2024/12xxx/CVE-2024-12195.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12195", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The WP Project Manager \u2013 Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "wedevs", + "product": { + "product_data": [ + { + "product_name": "WP Project Manager \u2013 Task, team, and project management plugin featuring kanban board and gantt charts", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.6.16" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/798d120a-edec-4af9-b574-46f9beabc491?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/798d120a-edec-4af9-b574-46f9beabc491?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.14/src/Task_List/Controllers/Task_List_Controller.php#L688", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.14/src/Task_List/Controllers/Task_List_Controller.php#L688" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3213295/wedevs-project-manager", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3213295/wedevs-project-manager" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12279.json b/2024/12xxx/CVE-2024-12279.json index d76d2a21918..81b65b5f56e 100644 --- a/2024/12xxx/CVE-2024-12279.json +++ b/2024/12xxx/CVE-2024-12279.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12279", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "justin_k", + "product": { + "product_data": [ + { + "product_name": "WP Social AutoConnect", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.6.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/392d8286-a5fd-4d5d-9f6a-f13564013edc?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/392d8286-a5fd-4d5d-9f6a-f13564013edc?source=cve" + }, + { + "url": "https://wordpress.org/plugins/wp-fb-autoconnect/#developers", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/wp-fb-autoconnect/#developers" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3211577/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3211577/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Dale Mavers" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12475.json b/2024/12xxx/CVE-2024-12475.json index 7950fe7cedb..7db2a967732 100644 --- a/2024/12xxx/CVE-2024-12475.json +++ b/2024/12xxx/CVE-2024-12475.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12475", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "wpexpertsio", + "product": { + "product_data": [ + { + "product_name": "WP Multi Store Locator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.4.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/089406e7-4f6a-416b-9077-e17c44069300?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/089406e7-4f6a-416b-9077-e17c44069300?source=cve" + }, + { + "url": "https://wordpress.org/plugins/wp-multi-store-locator/#developers", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/wp-multi-store-locator/#developers" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3207533/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3207533/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "SOPROBRO" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] }