From dda36156957c05d2e856e259c309c71a5f24ec4a Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Wed, 26 Mar 2025 05:03:50 +0000 Subject: [PATCH] Auto-Update: 2025-03-26T05:00:19.976184+00:00 --- CVE-2025/CVE-2025-14xx/CVE-2025-1490.json | 64 +++++++++++++++++++ CVE-2025/CVE-2025-21xx/CVE-2025-2165.json | 64 +++++++++++++++++++ CVE-2025/CVE-2025-25xx/CVE-2025-2573.json | 68 +++++++++++++++++++++ CVE-2025/CVE-2025-25xx/CVE-2025-2576.json | 68 +++++++++++++++++++++ CVE-2025/CVE-2025-307xx/CVE-2025-30742.json | 29 +++++++++ README.md | 16 +++-- _state.csv | 7 ++- 7 files changed, 309 insertions(+), 7 deletions(-) create mode 100644 CVE-2025/CVE-2025-14xx/CVE-2025-1490.json create mode 100644 CVE-2025/CVE-2025-21xx/CVE-2025-2165.json create mode 100644 CVE-2025/CVE-2025-25xx/CVE-2025-2573.json create mode 100644 CVE-2025/CVE-2025-25xx/CVE-2025-2576.json create mode 100644 CVE-2025/CVE-2025-307xx/CVE-2025-30742.json diff --git a/CVE-2025/CVE-2025-14xx/CVE-2025-1490.json b/CVE-2025/CVE-2025-14xx/CVE-2025-1490.json new file mode 100644 index 00000000000..329af65aad0 --- /dev/null +++ b/CVE-2025/CVE-2025-14xx/CVE-2025-1490.json @@ -0,0 +1,64 @@ +{ + "id": "CVE-2025-1490", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-26T03:15:12.257", + "lastModified": "2025-03-26T03:15:12.257", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Smart Maintenance Mode plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018setstatus\u2019 parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/smart-maintenance-mode/trunk/smart-maintenance-mode.php#L562", + "source": "security@wordfence.com" + }, + { + "url": "https://wordpress.org/plugins/smart-maintenance-mode/#developers", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea9ca8ac-e735-4e84-af0f-45d22a8e2124?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-21xx/CVE-2025-2165.json b/CVE-2025/CVE-2025-21xx/CVE-2025-2165.json new file mode 100644 index 00000000000..d4fe7ab2c20 --- /dev/null +++ b/CVE-2025/CVE-2025-21xx/CVE-2025-2165.json @@ -0,0 +1,64 @@ +{ + "id": "CVE-2025-2165", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-26T03:15:12.853", + "lastModified": "2025-03-26T03:15:12.853", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The SH Email Alert plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/sh-email-alert/tags/1.0/manage.php#L156", + "source": "security@wordfence.com" + }, + { + "url": "https://wordpress.org/plugins/sh-email-alert/", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc20180b-4665-4ade-b512-b0f0148200e7?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-25xx/CVE-2025-2573.json b/CVE-2025/CVE-2025-25xx/CVE-2025-2573.json new file mode 100644 index 00000000000..d873e94b42d --- /dev/null +++ b/CVE-2025/CVE-2025-25xx/CVE-2025-2573.json @@ -0,0 +1,68 @@ +{ + "id": "CVE-2025-2573", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-26T03:15:13.033", + "lastModified": "2025-03-26T03:15:13.033", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.1, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/amazing-service-box-visual-composer-addons/trunk/asb_addon.php#L114", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/amazing-service-box-visual-composer-addons/trunk/asb_addon.php#L45", + "source": "security@wordfence.com" + }, + { + "url": "https://wordpress.org/plugins/amazing-service-box-visual-composer-addons/#developers", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4f6ce4d-6ca5-4a62-ae84-9dd190fc0392?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-25xx/CVE-2025-2576.json b/CVE-2025/CVE-2025-25xx/CVE-2025-2576.json new file mode 100644 index 00000000000..1f0fea9883d --- /dev/null +++ b/CVE-2025/CVE-2025-25xx/CVE-2025-2576.json @@ -0,0 +1,68 @@ +{ + "id": "CVE-2025-2576", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-26T03:15:13.213", + "lastModified": "2025-03-26T03:15:13.213", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Ayyash Studio \u2014 The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.1, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L351", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L37", + "source": "security@wordfence.com" + }, + { + "url": "https://wordpress.org/plugins/ayyash-studio/#developers", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/634fa1ed-ad6b-4875-b6f9-f20add39dc80?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-307xx/CVE-2025-30742.json b/CVE-2025/CVE-2025-307xx/CVE-2025-30742.json new file mode 100644 index 00000000000..f5dac0b8ec7 --- /dev/null +++ b/CVE-2025/CVE-2025-307xx/CVE-2025-30742.json @@ -0,0 +1,29 @@ +{ + "id": "CVE-2025-30742", + "sourceIdentifier": "cve@mitre.org", + "published": "2025-03-26T04:15:23.403", + "lastModified": "2025-03-26T04:15:23.403", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "httpd.c in atophttpd 2.8.0 has an off-by-one error and resultant out-of-bounds read because a certain 1024-character req string would not have a final '\\0' character." + } + ], + "metrics": {}, + "references": [ + { + "url": "https://github.com/pizhenwei/atophttpd/blob/74c9f14796b15dc9de5839a5749202f933937a9c/httpd.c#L376-L399", + "source": "cve@mitre.org" + }, + { + "url": "https://github.com/pizhenwei/atophttpd/blob/74c9f14796b15dc9de5839a5749202f933937a9c/httpd.c#L492-L496", + "source": "cve@mitre.org" + }, + { + "url": "https://github.com/pizhenwei/atophttpd/blob/74c9f14796b15dc9de5839a5749202f933937a9c/httpd.c#L71-L72", + "source": "cve@mitre.org" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index f1b377c65e3..a7983af00bf 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2025-03-26T03:00:19.850648+00:00 +2025-03-26T05:00:19.976184+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2025-03-26T02:15:25.633000+00:00 +2025-03-26T04:15:23.403000+00:00 ``` ### Last Data Feed Release @@ -33,20 +33,24 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -286568 +286573 ``` ### CVEs added in the last Commit -Recently added CVEs: `0` +Recently added CVEs: `5` +- [CVE-2025-1490](CVE-2025/CVE-2025-14xx/CVE-2025-1490.json) (`2025-03-26T03:15:12.257`) +- [CVE-2025-2165](CVE-2025/CVE-2025-21xx/CVE-2025-2165.json) (`2025-03-26T03:15:12.853`) +- [CVE-2025-2573](CVE-2025/CVE-2025-25xx/CVE-2025-2573.json) (`2025-03-26T03:15:13.033`) +- [CVE-2025-2576](CVE-2025/CVE-2025-25xx/CVE-2025-2576.json) (`2025-03-26T03:15:13.213`) +- [CVE-2025-30742](CVE-2025/CVE-2025-307xx/CVE-2025-30742.json) (`2025-03-26T04:15:23.403`) ### CVEs modified in the last Commit -Recently modified CVEs: `1` +Recently modified CVEs: `0` -- [CVE-2025-1828](CVE-2025/CVE-2025-18xx/CVE-2025-1828.json) (`2025-03-26T02:15:25.633`) ## Download and Usage diff --git a/_state.csv b/_state.csv index afa2303baef..bb1c88897b7 100644 --- a/_state.csv +++ b/_state.csv @@ -281834,6 +281834,7 @@ CVE-2025-1486,0,0,a85cea9be2475178530e87928bf3624b11a53f46d4074abad230f2e740ad42 CVE-2025-1487,0,0,8f772af05106acb51f792dc9fd2468ed15c6e79faf910ab3115c5b2004861341,2025-03-14T16:15:40.263000 CVE-2025-1488,0,0,8fbfc0f85ec6e8179ff63233271a6a6f56042420a685f641084719c4ae8076e9,2025-03-25T15:32:56.433000 CVE-2025-1489,0,0,3008549e3d2861f78796256b763f59eec371226dd4b84353f864c64443cf0ecb,2025-02-24T19:45:21.653000 +CVE-2025-1490,1,1,7aff13ba0cf6167c4f44d1a93b4f6f09fdf518d04ba9c05a1bfda108f45e69c2,2025-03-26T03:15:12.257000 CVE-2025-1491,0,0,2c68d92a6f55bf529fa37ef19f65078661a466e3bd99edb0dd7d2a7b0419f292,2025-03-01T13:15:10.750000 CVE-2025-1492,0,0,b9223b4db500ae771be5ddc029bc738cd0c9e1261ad47ff66314ecd9bf92d1b3,2025-02-20T02:15:38.553000 CVE-2025-1496,0,0,00b701fe7bc2e4f39ec7ac2812437dabb31dde7416d14a43308b75ca4d34e495,2025-03-20T14:15:22.920000 @@ -282037,7 +282038,7 @@ CVE-2025-1818,0,0,37447926f9841734f2812c1740f60067b78922f1e49cdd900fb1888b830ace CVE-2025-1819,0,0,30aaf321bf598a632d335efe867dfbf1c954d81c19dbf59077d00052427f6e82,2025-03-02T17:15:11.483000 CVE-2025-1820,0,0,de7c6baac78093b7f0e7c2343af2d32bf8e1894ea47cf7930dd387f103a53ed8,2025-03-03T19:15:33.900000 CVE-2025-1821,0,0,b3349008b31943d36983f65c5b6d573a651ca8d675ec056cb33951299f02ed59,2025-03-03T19:15:34.030000 -CVE-2025-1828,0,1,6336494f159e2aab4f8ff5b8f853f474cebe8651934831188a6cb50a3e4d076e,2025-03-26T02:15:25.633000 +CVE-2025-1828,0,0,6336494f159e2aab4f8ff5b8f853f474cebe8651934831188a6cb50a3e4d076e,2025-03-26T02:15:25.633000 CVE-2025-1829,0,0,cdfa3e67c0c277a6177da9bd34f08d7ed678dd9267ec9b77fb630e0d887cc4f0,2025-03-03T18:15:31.937000 CVE-2025-1830,0,0,b7d520c7dab1ad06ab8077ecd612df524f731c0cd8662ed0f43d61b14b168f12,2025-03-03T22:15:37.637000 CVE-2025-1831,0,0,df633658ed50bfe4aae872b54c5326e5accc4a7746409c9cf665f4b4ab647254,2025-03-03T18:15:32.520000 @@ -282841,6 +282842,7 @@ CVE-2025-21646,0,0,751e9512a6f4482d5f98e27fee57d878d181b41c78a8c4c8fe41304d573c6 CVE-2025-21647,0,0,364d8fe2a4a4581fc19523cce621fd21d39be059ff2f15125f2c929a3bec10fd,2025-03-13T13:15:47.797000 CVE-2025-21648,0,0,1e28b61383e7660836dbbb26d762b1871cd28f2a60ea4ccb673beb93821501a9,2025-02-02T11:15:15.433000 CVE-2025-21649,0,0,83a08c42f448e1e2fb20d671a214f30c7bf25568b8e5958ef29572790d694059,2025-01-31T15:56:17.907000 +CVE-2025-2165,1,1,ca51b0e659fccf2df74ab0d83d12d56d071c971012f0e70d2aa1edd020d1b63a,2025-03-26T03:15:12.853000 CVE-2025-21650,0,0,979a638a4fc2874261a1028ffe64fc716d1395d9b241ea774792153993d8eac2,2025-02-27T22:00:13.243000 CVE-2025-21651,0,0,d057ff764ce31c4ac7e93c37cb4ba424635250ef668040e2530ccd52f14e89f7,2025-01-19T11:15:10.733000 CVE-2025-21652,0,0,20d739461f3527398cd43bd52a6f89c66a16cc1ddb96e5765be31fe2e5b35e8e,2025-02-10T18:15:34.883000 @@ -285313,6 +285315,7 @@ CVE-2025-25726,0,0,1241b8ce4f2f3e5a9582d1cb34e021df8b6f066d37fe203461681ffda7c05 CVE-2025-25727,0,0,0d1a14c99242a40bd0c002eb63b1280a7e4062b40e6f0343d27881c4635e114e,2025-03-19T21:15:38.690000 CVE-2025-25728,0,0,8bf984e1467b4d8142842e319e1c0a79db3cce3b3976d2a54ebea90ce191a5f5,2025-03-19T21:15:38.837000 CVE-2025-25729,0,0,37dccbd23e8b05f5aabcfb584977649888f3f534d26d5e574ce2d7e88687c4b1,2025-02-28T16:15:39.707000 +CVE-2025-2573,1,1,5407182d688c1e5ddce6677978592083468bfcf4169e97fe7cf1eac512e1bd0d,2025-03-26T03:15:13.033000 CVE-2025-25730,0,0,2d4e8c99634c9753085f1bf0f3dc2ae2d2ae9a31f8634761394f303c2de1e717,2025-02-28T20:15:46.803000 CVE-2025-2574,0,0,653869cfb363acb2f0468669bbe8350777d1f02ebecb92b7935efe95ed02ca0d,2025-03-20T21:15:23.880000 CVE-2025-25740,0,0,cd2bc7638ab565462203ba75cf0c1903fed130191464a51442647e9686692755,2025-03-17T19:15:25.963000 @@ -285327,6 +285330,7 @@ CVE-2025-25748,0,0,96ee59038cfc6610b701bf16c7385a6f931893dac6088fabf2cfc738c5088 CVE-2025-25749,0,0,48ffe6e71546757806d82af2032197f3e8ebd995091be3438b8e1ca1e43f9b3d,2025-03-24T18:15:23.347000 CVE-2025-25758,0,0,84e8fc30738cca0c52ccb9ec84454af6fabcb6aff2886596da2dcdf618a748ca,2025-03-24T16:15:56.283000 CVE-2025-25759,0,0,293b850ebe0a274765acc91f23faade1c53b146b12bb218a57ca1cee0ac51835,2025-03-04T15:15:28.353000 +CVE-2025-2576,1,1,b8909c64ebc06a75c7bda661d6b9d3de8d8be6be0808c75dc46a3751c27fb649,2025-03-26T03:15:13.213000 CVE-2025-25760,0,0,963e7e75521960c9620a7affa1021c0ca484b511b623074b9cde550324014cef,2025-03-04T15:15:28.590000 CVE-2025-25761,0,0,f248f6741f63a9a7aedabfe16b412988575b28956c4c9e9dd6d7c9dcf3c9c70f,2025-02-27T15:15:41.777000 CVE-2025-25763,0,0,929a22c6e16286b1fdbe20f1a31e0445b855c096791fb0d6f77563158b5a789d,2025-03-07T20:15:38.180000 @@ -286567,3 +286571,4 @@ CVE-2025-30620,0,0,8cb20ec3a9d4fd9c59608e97a0d5ae368b50e3d06eb12b3515695a603531a CVE-2025-30621,0,0,5d4cdbcdb4b4fcd90b5f2b2106f218b95148d82610e047fabd8c26e50f6e3ad9,2025-03-24T14:15:34.660000 CVE-2025-30623,0,0,1d1d541570cee9e8bd680cf66c388813ad97d6b9db28e22b406d83cc5fc8feed,2025-03-24T14:15:34.797000 CVE-2025-30741,0,0,7e28be04c44c5eca306e67e9d56487026b2aeeec1bb89000fe389b1b3e3b5fba,2025-03-25T21:15:43.527000 +CVE-2025-30742,1,1,734dd810ea1c40492ac4238ec29540a79138d45b6287776b9ce415b95263469e,2025-03-26T04:15:23.403000