From e209602b6918a5c5b17e34b973c367a3120a12ff Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 5 Dec 2024 10:00:31 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/10xxx/CVE-2024-10056.json | 81 ++++++++++++++++++++++++++++++-- 2024/10xxx/CVE-2024-10777.json | 76 ++++++++++++++++++++++++++++-- 2024/10xxx/CVE-2024-10848.json | 76 ++++++++++++++++++++++++++++-- 2024/11xxx/CVE-2024-11324.json | 81 ++++++++++++++++++++++++++++++-- 2024/11xxx/CVE-2024-11341.json | 76 ++++++++++++++++++++++++++++-- 2024/11xxx/CVE-2024-11420.json | 76 ++++++++++++++++++++++++++++-- 2024/11xxx/CVE-2024-11779.json | 86 ++++++++++++++++++++++++++++++++-- 2024/45xxx/CVE-2024-45841.json | 80 +++++++++++++++++++++++++++++-- 2024/47xxx/CVE-2024-47133.json | 80 +++++++++++++++++++++++++++++-- 2024/52xxx/CVE-2024-52564.json | 80 +++++++++++++++++++++++++++++-- 10 files changed, 752 insertions(+), 40 deletions(-) diff --git a/2024/10xxx/CVE-2024-10056.json b/2024/10xxx/CVE-2024-10056.json index af5e62befef..88d9fcce60a 100644 --- a/2024/10xxx/CVE-2024-10056.json +++ b/2024/10xxx/CVE-2024-10056.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10056", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's livesite-pay shortcode in all versions up to, and including, 4.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "eyale-vc", + "product": { + "product_data": [ + { + "product_name": "Contact Form Builder by vcita", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.10.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d1b419c-2276-415d-8c54-15da9125c442?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d1b419c-2276-415d-8c54-15da9125c442?source=cve" + }, + { + "url": "https://wordpress.org/plugins/contact-form-with-a-meeting-scheduler-by-vcita/#developers", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/contact-form-with-a-meeting-scheduler-by-vcita/#developers" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3200766/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3200766/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Peter Thaleikis" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/10xxx/CVE-2024-10777.json b/2024/10xxx/CVE-2024-10777.json index d89713719df..5f92f9d8cfc 100644 --- a/2024/10xxx/CVE-2024-10777.json +++ b/2024/10xxx/CVE-2024-10777.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10777", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The AnyWhere Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.11 via the 'INSERT_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639 Authorization Bypass Through User-Controlled Key", + "cweId": "CWE-639" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "wpvibes", + "product": { + "product_data": [ + { + "product_name": "AnyWhere Elementor", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.2.11" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2138634-c149-4fd1-a33d-351bbf633ea3?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2138634-c149-4fd1-a33d-351bbf633ea3?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3198665%40anywhere-elementor&new=3198665%40anywhere-elementor&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3198665%40anywhere-elementor&new=3198665%40anywhere-elementor&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Francesco Carlucci" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "baseScore": 4.3, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/10xxx/CVE-2024-10848.json b/2024/10xxx/CVE-2024-10848.json index 84050728559..acaca364e44 100644 --- a/2024/10xxx/CVE-2024-10848.json +++ b/2024/10xxx/CVE-2024-10848.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10848", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The NewsMunch theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "desertthemes", + "product": { + "product_data": [ + { + "product_name": "NewsMunch", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.0.35" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a2b0ff4-9471-4fd0-ac1a-ed5b7b4af4ff?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a2b0ff4-9471-4fd0-ac1a-ed5b7b4af4ff?source=cve" + }, + { + "url": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=250663%40newsmunch&new=250663%40newsmunch&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=250663%40newsmunch&new=250663%40newsmunch&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Matthew Rollings" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11324.json b/2024/11xxx/CVE-2024-11324.json index 39b4d69e247..8ff174b53c0 100644 --- a/2024/11xxx/CVE-2024-11324.json +++ b/2024/11xxx/CVE-2024-11324.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11324", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Accounting for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "bastho", + "product": { + "product_data": [ + { + "product_name": "Accounting for WooCommerce", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.6.6" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f34b7518-5cb3-4b4e-8b18-927c08c045f7?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f34b7518-5cb3-4b4e-8b18-927c08c045f7?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/accounting-for-woocommerce/tags/stable/views/export.php#L46", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/accounting-for-woocommerce/tags/stable/views/export.php#L46" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3201725/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3201725/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Dale Mavers" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11341.json b/2024/11xxx/CVE-2024-11341.json index 4abf2bc0c86..12132196b3d 100644 --- a/2024/11xxx/CVE-2024-11341.json +++ b/2024/11xxx/CVE-2024-11341.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11341", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Simple Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and redirect all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "ecolosites", + "product": { + "product_data": [ + { + "product_name": "Simple Redirection", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.5" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fa84344-8672-43e1-a430-094021f7366f?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fa84344-8672-43e1-a430-094021f7366f?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3201717/", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3201717/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "SOPROBRO" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "baseScore": 4.3, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11420.json b/2024/11xxx/CVE-2024-11420.json index fe28ce8bd31..aa2a624087c 100644 --- a/2024/11xxx/CVE-2024-11420.json +++ b/2024/11xxx/CVE-2024-11420.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11420", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Info Block link parameter in all versions up to, and including, 2.0.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "creativethemeshq", + "product": { + "product_data": [ + { + "product_name": "Blocksy", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.0.77" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02ad47d5-f011-4e0a-af29-088852d1e886?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02ad47d5-f011-4e0a-af29-088852d1e886?source=cve" + }, + { + "url": "https://themes.trac.wordpress.org/changeset/249744/blocksy/2.0.78/inc/components/contacts-box.php", + "refsource": "MISC", + "name": "https://themes.trac.wordpress.org/changeset/249744/blocksy/2.0.78/inc/components/contacts-box.php" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "D.Sim" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11779.json b/2024/11xxx/CVE-2024-11779.json index 8ad5736ccf8..2f8ad29614d 100644 --- a/2024/11xxx/CVE-2024-11779.json +++ b/2024/11xxx/CVE-2024-11779.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11779", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The WIP WooCarousel Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wip_woocarousel_products_carousel' shortcode in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "alexvtn", + "product": { + "product_data": [ + { + "product_name": "WIP WooCarousel Lite", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.1.6" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50721265-dbbf-4032-a8d6-9cf42a986c0d?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50721265-dbbf-4032-a8d6-9cf42a986c0d?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/wip-woocarousel-lite/trunk/shortcode/products_carousel.php#L52", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/wip-woocarousel-lite/trunk/shortcode/products_carousel.php#L52" + }, + { + "url": "https://wordpress.org/plugins/wip-woocarousel-lite", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/wip-woocarousel-lite" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3199039/wip-woocarousel-lite/trunk/shortcode/products_carousel.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3199039/wip-woocarousel-lite/trunk/shortcode/products_carousel.php" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Djaidja Moundjid" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/45xxx/CVE-2024-45841.json b/2024/45xxx/CVE-2024-45841.json index aad0ad04e08..06dfa120c05 100644 --- a/2024/45xxx/CVE-2024-45841.json +++ b/2024/45xxx/CVE-2024-45841.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-45841", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vultures@jpcert.or.jp", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Incorrect permission assignment for critical resource", + "cweId": "CWE-732" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "I-O DATA DEVICE, INC.", + "product": { + "product_data": [ + { + "product_name": "UD-LT1", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "firmware Ver.2.1.8 and earlier" + } + ] + } + }, + { + "product_name": "UD-LT1/EX", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "firmware Ver.2.1.8 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/", + "refsource": "MISC", + "name": "https://www.iodata.jp/support/information/2024/11_ud-lt1/" + }, + { + "url": "https://jvn.jp/en/jp/JVN46615026/", + "refsource": "MISC", + "name": "https://jvn.jp/en/jp/JVN46615026/" + } + ] + }, + "impact": { + "cvss": [ + { + "version": "3.0", + "baseSeverity": "MEDIUM", + "baseScore": 6.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] } diff --git a/2024/47xxx/CVE-2024-47133.json b/2024/47xxx/CVE-2024-47133.json index 4bfc34b6c15..3380c7efb7e 100644 --- a/2024/47xxx/CVE-2024-47133.json +++ b/2024/47xxx/CVE-2024-47133.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-47133", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vultures@jpcert.or.jp", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper neutralization of special elements used in an OS command ('OS Command Injection')", + "cweId": "CWE-78" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "I-O DATA DEVICE, INC.", + "product": { + "product_data": [ + { + "product_name": "UD-LT1", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "firmware Ver.2.1.8 and earlier" + } + ] + } + }, + { + "product_name": "UD-LT1/EX", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "firmware Ver.2.1.8 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/", + "refsource": "MISC", + "name": "https://www.iodata.jp/support/information/2024/11_ud-lt1/" + }, + { + "url": "https://jvn.jp/en/jp/JVN46615026/", + "refsource": "MISC", + "name": "https://jvn.jp/en/jp/JVN46615026/" + } + ] + }, + "impact": { + "cvss": [ + { + "version": "3.0", + "baseSeverity": "HIGH", + "baseScore": 7.2, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ] } diff --git a/2024/52xxx/CVE-2024-52564.json b/2024/52xxx/CVE-2024-52564.json index 91b9df0d5f0..c9875279098 100644 --- a/2024/52xxx/CVE-2024-52564.json +++ b/2024/52xxx/CVE-2024-52564.json @@ -1,17 +1,89 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52564", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "vultures@jpcert.or.jp", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Inclusion of undocumented features or chicken bits", + "cweId": "CWE-1242" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "I-O DATA DEVICE, INC.", + "product": { + "product_data": [ + { + "product_name": "UD-LT1", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "firmware Ver.2.1.8 and earlier" + } + ] + } + }, + { + "product_name": "UD-LT1/EX", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "firmware Ver.2.1.8 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.iodata.jp/support/information/2024/11_ud-lt1/", + "refsource": "MISC", + "name": "https://www.iodata.jp/support/information/2024/11_ud-lt1/" + }, + { + "url": "https://jvn.jp/en/jp/JVN46615026/", + "refsource": "MISC", + "name": "https://jvn.jp/en/jp/JVN46615026/" + } + ] + }, + "impact": { + "cvss": [ + { + "version": "3.0", + "baseSeverity": "HIGH", + "baseScore": 7.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }