diff --git a/CVE-2024/CVE-2024-134xx/CVE-2024-13426.json b/CVE-2024/CVE-2024-134xx/CVE-2024-13426.json new file mode 100644 index 00000000000..797ed5332e6 --- /dev/null +++ b/CVE-2024/CVE-2024-134xx/CVE-2024-13426.json @@ -0,0 +1,88 @@ +{ + "id": "CVE-2024-13426", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-01-22T03:15:07.370", + "lastModified": "2025-01-22T03:15:07.370", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries. Those queries are stored and results are not displayed to the attacker, which means they cannot be exploited to obtain any additional information about the database. However, a properly configured payload allows for the injection of malicious JavaScript resulting in Stored Cross-Site Scripting." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 2.2, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-89" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/WordPress/wordpress-develop/blob/a82874058f58575dbba64ce09b6dcbd43ccf5fdc/src/wp-includes/default-constants.php#L249", + "source": "security@wordfence.com" + }, + { + "url": "https://github.com/lesterchan/wp-polls", + "source": "security@wordfence.com" + }, + { + "url": "https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/polls-logs.php#L294", + "source": "security@wordfence.com" + }, + { + "url": "https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/polls-logs.php#L97", + "source": "security@wordfence.com" + }, + { + "url": "https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/wp-polls.php#L1378", + "source": "security@wordfence.com" + }, + { + "url": "https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/wp-polls.php#L1416", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3224709%40wp-polls%2Ftrunk&old=2949758%40wp-polls%2Ftrunk&sfp_email=&sfph_mail=", + "source": "security@wordfence.com" + }, + { + "url": "https://wordpress.org/plugins/wp-polls/", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b76de574-2627-46cd-9817-134a009ac3bd?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-135xx/CVE-2024-13584.json b/CVE-2024/CVE-2024-135xx/CVE-2024-13584.json new file mode 100644 index 00000000000..7369b68c067 --- /dev/null +++ b/CVE-2024/CVE-2024-135xx/CVE-2024-13584.json @@ -0,0 +1,64 @@ +{ + "id": "CVE-2024-13584", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-01-22T04:15:06.907", + "lastModified": "2025-01-22T04:15:06.907", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Picture Gallery \u2013 Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up to, and including, 1.5.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.1, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/picture-gallery/trunk/inc/shortcodes.php#L49", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3218329%40picture-gallery&new=3218329%40picture-gallery&sfp_email=&sfph_mail=", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f721733-2245-4d8d-9881-91cc0b48551b?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-135xx/CVE-2024-13590.json b/CVE-2024/CVE-2024-135xx/CVE-2024-13590.json new file mode 100644 index 00000000000..5e82ce0b833 --- /dev/null +++ b/CVE-2024/CVE-2024-135xx/CVE-2024-13590.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2024-13590", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-01-22T04:15:07.083", + "lastModified": "2025-01-22T04:15:07.083", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.1, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/changeset/3222176/", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d25e292-b62b-493e-976c-a5eb95505065?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index f3eada6af1a..d99de49f499 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2025-01-22T03:00:30.879977+00:00 +2025-01-22T05:00:34.669759+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2025-01-22T02:15:34.443000+00:00 +2025-01-22T04:15:07.083000+00:00 ``` ### Last Data Feed Release @@ -33,19 +33,16 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -278449 +278452 ``` ### CVEs added in the last Commit -Recently added CVEs: `6` +Recently added CVEs: `3` -- [CVE-2025-0625](CVE-2025/CVE-2025-06xx/CVE-2025-0625.json) (`2025-01-22T02:15:31.123`) -- [CVE-2025-23083](CVE-2025/CVE-2025-230xx/CVE-2025-23083.json) (`2025-01-22T02:15:33.930`) -- [CVE-2025-23087](CVE-2025/CVE-2025-230xx/CVE-2025-23087.json) (`2025-01-22T02:15:34.080`) -- [CVE-2025-23088](CVE-2025/CVE-2025-230xx/CVE-2025-23088.json) (`2025-01-22T02:15:34.207`) -- [CVE-2025-23089](CVE-2025/CVE-2025-230xx/CVE-2025-23089.json) (`2025-01-22T02:15:34.327`) -- [CVE-2025-23090](CVE-2025/CVE-2025-230xx/CVE-2025-23090.json) (`2025-01-22T02:15:34.443`) +- [CVE-2024-13426](CVE-2024/CVE-2024-134xx/CVE-2024-13426.json) (`2025-01-22T03:15:07.370`) +- [CVE-2024-13584](CVE-2024/CVE-2024-135xx/CVE-2024-13584.json) (`2025-01-22T04:15:06.907`) +- [CVE-2024-13590](CVE-2024/CVE-2024-135xx/CVE-2024-13590.json) (`2025-01-22T04:15:07.083`) ### CVEs modified in the last Commit diff --git a/_state.csv b/_state.csv index 8f2c5688d03..eb22d325814 100644 --- a/_state.csv +++ b/_state.csv @@ -246051,6 +246051,7 @@ CVE-2024-13401,0,0,5efe32d869945c8cf2c8e98762f61d5eb40d85526a7f385be1d59dce88509 CVE-2024-13404,0,0,b58f4e5da266e40a7294b1c5385e421341df230f5fb30104fb5c9ea0c1e7114b,2025-01-21T10:15:07.823000 CVE-2024-1341,0,0,090bf84c5ce2b0dfeca3a04f998237d36add49409b51be286587af2f8364beb8,2024-11-21T08:50:22.300000 CVE-2024-1342,0,0,2f41e6eac1e33a309fc72543d371a67df7cdf22eae12449849cd3aab8e438d93,2024-10-14T22:15:03.180000 +CVE-2024-13426,1,1,ca26adc038606c0d17de30f213ba8a6e9e80443de40a7686c6aa3edda3908eec,2025-01-22T03:15:07.370000 CVE-2024-1343,0,0,7c2447499342d3573955d9e9545316db90429adf3b266826e2ed2754189f075e,2024-11-21T08:50:22.433000 CVE-2024-13432,0,0,7d75f67ac18cf32d5dc44570eb7cf156c877d943529d3637d5b0bb399b86a599,2025-01-18T07:15:08.983000 CVE-2024-13433,0,0,b744d44080e2e33c41984f231e71d8cc1252181c511f568444c5c86671c3eb05,2025-01-18T07:15:09.160000 @@ -246080,7 +246081,9 @@ CVE-2024-1355,0,0,6172baf85be4d7a27bbb49e6e2c61129e709fa636052c76496ed45a6120298 CVE-2024-1356,0,0,6cb6186c899ef9742e559deecf7de4862ea2bb78bef5eed0c472ae9df79196b1,2024-11-21T08:50:24.133000 CVE-2024-1357,0,0,25eaf5b978f8da82b4d3e5ed8aa890834adc21c061c9c9c169613a72fe6996b1,2024-11-21T08:50:24.283000 CVE-2024-1358,0,0,c4ea31b36cfcd7f75873d740d9e38ca70692f76dad02370c8ddbe488b8025229,2025-01-17T19:52:41.687000 +CVE-2024-13584,1,1,51a2a8790b306bf6f14abd867916b8a12305829a5bd93ce1ee2660a9c0414149,2025-01-22T04:15:06.907000 CVE-2024-1359,0,0,8114a50ae134a93430da828655ce595d1020af44415effc85b05f4f190881d3c,2024-11-21T08:50:24.543000 +CVE-2024-13590,1,1,e744f6d4395f4b003bd865fd245dc1ce88f3f6497b82dad9a2ff5ecb2f4434d5,2025-01-22T04:15:07.083000 CVE-2024-1360,0,0,a87675d91847a9b72ed5368695c7c67c099276d1667e5e94dc544f268946892c,2024-11-21T08:50:24.707000 CVE-2024-1361,0,0,8a11a93152fbfa05be2934d541581f2e8e8c1350c348ceb554a6a47ec08e0e2f,2025-01-15T18:39:23.493000 CVE-2024-1362,0,0,ebe61894e3dd1fecb8d4711188e9d8f7e6a2ff043508a2ee93131b033a0336dd,2025-01-15T18:40:30.490000 @@ -277479,7 +277482,7 @@ CVE-2025-0590,0,0,c554cb9a0bdc14b97d65dbcaf6b8f0519615dcf5380f9d8d26f0b94a792fad CVE-2025-0614,0,0,c85e5b141df45983a9b8023744afed1074e3155c77698a4efcba3b1933f20f8e,2025-01-21T12:15:27.580000 CVE-2025-0615,0,0,24948b17ddad86445a37019481e808c754a1ff5ca4b2da53c27f9618c73c00c8,2025-01-21T12:15:27.737000 CVE-2025-0623,0,0,341d910d0f0f4575e107592c92f38288f68e01fe716af21df488a6d82193e481,2025-01-21T17:15:16.817000 -CVE-2025-0625,1,1,aa2cb20c8c831ead0221791f1496fad6fff25e44f479f9085e096921461f29e7,2025-01-22T02:15:31.123000 +CVE-2025-0625,0,0,aa2cb20c8c831ead0221791f1496fad6fff25e44f479f9085e096921461f29e7,2025-01-22T02:15:31.123000 CVE-2025-20016,0,0,6fccb84eb01c2cd66b422e82777f9738bfe5004121e1b551d0ae454724543c0e,2025-01-14T10:15:07.500000 CVE-2025-20033,0,0,6c60c85e451f1d6db70378d678ddf83dacc7c823ecfb493748ed6d94114eff49,2025-01-09T07:15:28.450000 CVE-2025-20036,0,0,a1d7639f0e568c5953a2962f5a2be630b5737d729f8c4f565a3eec7e4bf19549,2025-01-15T17:15:18.950000 @@ -278174,12 +278177,12 @@ CVE-2025-23079,0,0,78406696c95877d502c4c9b4607328548f20c8246eeff924786f7d9228881 CVE-2025-23080,0,0,165d07f7f3ac467de5017c0ed6cba0e28a556747a1eb136b531ca8b1a8ca92c9,2025-01-14T18:16:06.110000 CVE-2025-23081,0,0,8e8adb61025ad816e7ca7d3f543c46c43aae9a6ff6f38d8ecfef81ad769cb146,2025-01-16T16:15:36.090000 CVE-2025-23082,0,0,04a4f0f7ff5458b7d3b3235d7001e50f9111979d3e99a4d703024d8cba8b9a7c,2025-01-14T16:15:36.200000 -CVE-2025-23083,1,1,96e17b9541b5785369a10e3178c2a88e7a9de1d1fb3ff3a42cc758823962d93d,2025-01-22T02:15:33.930000 +CVE-2025-23083,0,0,96e17b9541b5785369a10e3178c2a88e7a9de1d1fb3ff3a42cc758823962d93d,2025-01-22T02:15:33.930000 CVE-2025-23086,0,0,dde492bd5a142c0b11b6f02556e1eca938bbf23f3754936e124d8d0a78e264d8,2025-01-21T15:15:14.833000 -CVE-2025-23087,1,1,f734d34ba478c71124b633411c2ef6a6aaa50df58eb4e394f876fd8d26bf687f,2025-01-22T02:15:34.080000 -CVE-2025-23088,1,1,2fd95404bc98b1f044c7667a334ab9d2f0f77c782a800085837da32f533b8243,2025-01-22T02:15:34.207000 -CVE-2025-23089,1,1,858e85a13c7c24019106b497bad9f477acc0d09b4d83be9703e45194c6adc016,2025-01-22T02:15:34.327000 -CVE-2025-23090,1,1,60c2993f5152c1c2225f7fb0fe09e82c44ae30ca30de706890e8f55aedf9de0a,2025-01-22T02:15:34.443000 +CVE-2025-23087,0,0,f734d34ba478c71124b633411c2ef6a6aaa50df58eb4e394f876fd8d26bf687f,2025-01-22T02:15:34.080000 +CVE-2025-23088,0,0,2fd95404bc98b1f044c7667a334ab9d2f0f77c782a800085837da32f533b8243,2025-01-22T02:15:34.207000 +CVE-2025-23089,0,0,858e85a13c7c24019106b497bad9f477acc0d09b4d83be9703e45194c6adc016,2025-01-22T02:15:34.327000 +CVE-2025-23090,0,0,60c2993f5152c1c2225f7fb0fe09e82c44ae30ca30de706890e8f55aedf9de0a,2025-01-22T02:15:34.443000 CVE-2025-23108,0,0,0867ae52bf9537919e00df206497183b5abf45a3a43e56579f476cc3d26e8d6c,2025-01-13T18:15:22.680000 CVE-2025-23109,0,0,4d519c5c41161d21ebd8f814ea3659acc2224a598528dd7d3e4c7b87a5ad8cc0,2025-01-13T18:15:22.903000 CVE-2025-23110,0,0,b9e32d20d7e6cf23b28c590dc2ad7f239b5186f27517cd303db97f7275b077fa,2025-01-10T22:15:27.550000