updates 2024-12-17

Signed-off-by: Weston Steimel <[email protected]>

data/anchore/2022/CVE-2022-4974.json

@@ -451,11 +451,13 @@
       {
         "collectionURL": "https://wordpress.org/plugins",
         "cpes": [
+          "cpe:2.3:a:stellarwp:the_events_calendar:*:*:*:*:*:wordpress:*:*",
           "cpe:2.3:a:tri:the_events_calendar:*:*:*:*:*:wordpress:*:*"
         ],
         "packageName": "the-events-calendar",
         "packageType": "wordpress-plugin",
         "product": "The Events Calendar",
+        "repo": "https://plugins.svn.wordpress.org/the-events-calendar",
         "vendor": "theeventscalendar",
         "versions": [
           {

data/anchore/2023/CVE-2023-35777.json

@@ -22,6 +22,7 @@
       {
         "collectionURL": "https://wordpress.org/plugins",
         "cpes": [
+          "cpe:2.3:a:stellarwp:the_events_calendar:*:*:*:*:*:wordpress:*:*",
           "cpe:2.3:a:tri:the_events_calendar:*:*:*:*:*:wordpress:*:*"
         ],
         "packageName": "the-events-calendar",

data/anchore/2024/CVE-2024-11905.json

@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-11905",
+    "description": "The Animated Counters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animatedcounte' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/animated-counters/trunk/animated-counters.php#L32",
+      "https://wordpress.org/plugins/animated-counters/",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/afd2f09c-4bd5-47a5-8d4f-7345aa8925f8?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2024-12-16T23:24:17.743Z",
+      "dateReserved": "2024-11-27T16:52:28.361Z",
+      "dateUpdated": "2024-12-16T23:24:17.743Z",
+      "digest": "68abb249ad312ce2ae88469152f1ae6fdfee0b2e12d88988cd254f955fb05dd9"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:eralion:animated_counters:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "animated-counters",
+        "packageType": "wordpress-plugin",
+        "product": "Animated Counters",
+        "repo": "https://plugins.svn.wordpress.org/animated-counters",
+        "vendor": "freeben",
+        "versions": [
+          {
+            "lessThanOrEqual": "2.0",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-35230.json

@@ -0,0 +1,71 @@
+{
+  "additionalMetadata": {
+    "cna": "github_m",
+    "cveId": "CVE-2024-35230",
+    "description": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8",
+      "https://github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920",
+      "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6"
+    ],
+    "upstream": {
+      "datePublished": "2024-12-16T22:18:19.896Z",
+      "dateReserved": "2024-05-14T15:39:41.785Z",
+      "dateUpdated": "2024-12-16T22:18:19.896Z",
+      "digest": "8929faba860c3a8d0c1115ff5a726765cf957eed759ff5f41f221fc7a0c13660"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://repo.osgeo.org",
+        "cpes": [
+          "cpe:2.3:a:org.geoserver.web:gs-web-core:*:*:*:*:*:maven:*:*"
+        ],
+        "packageName": "org.geoserver.web:gs-web-core",
+        "packageType": "maven",
+        "product": "gs-web-core",
+        "repo": "https://github.com/geoserver/geoserver",
+        "vendor": "geoserver",
+        "versions": [
+          {
+            "lessThan": "2.26.0",
+            "status": "affected",
+            "version": "2.0.0",
+            "versionType": "maven"
+          }
+        ]
+      },
+      {
+        "collectionURL": "https://repo.osgeo.org",
+        "cpes": [
+          "cpe:2.3:a:org.geoserver.web:gs-web-app:*:*:*:*:*:maven:*:*"
+        ],
+        "packageName": "org.geoserver.web:gs-web-app",
+        "packageType": "maven",
+        "product": "gs-web-app",
+        "repo": "https://github.com/geoserver/geoserver",
+        "vendor": "geoserver",
+        "versions": [
+          {
+            "lessThan": "2.24.4",
+            "status": "affected",
+            "version": "2.10.0",
+            "versionType": "maven"
+          },
+          {
+            "lessThan": "2.25.1",
+            "status": "affected",
+            "version": "2.25.0",
+            "versionType": "maven"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-36107.json

@@ -2,6 +2,9 @@
   "additionalMetadata": {
     "cna": "github_m",
     "cveId": "CVE-2024-36107",
+    "notes": [
+      "The GitHub release fixed version is RELEASE.2024-05-27t19-17-46z, which corresponds to go module version v0.0.0-20240527191746-e0fe7cc39172"
+    ],
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since",
@@ -25,10 +28,10 @@
         "vendor": "minio",
         "versions": [
           {
-            "lessThan": "RELEASE.2024-05-27t19-17-46z",
+            "lessThan": "v0.0.0-20240527191746-e0fe7cc39172",
             "status": "affected",
             "version": "0",
-            "versionType": "custom"
+            "versionType": "go"
           }
         ]
       }

data/anchore/2024/CVE-2024-37251.json

@@ -0,0 +1,47 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-37251",
+    "description": "Cross-Site Request Forgery (CSRF) vulnerability in WPENGINE, INC. Advanced Custom Fields PRO.This issue affects Advanced Custom Fields PRO: from n/a before 6.3.2.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/wordpress/plugin/advanced-custom-fields-pro/vulnerability/wordpress-advanced-custom-fields-pro-plugin-6-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 6.3.2 or a higher version."
+    ],
+    "upstream": {
+      "datePublished": "2024-12-16T15:03:38.797Z",
+      "dateReserved": "2024-06-04T16:46:44.985Z",
+      "dateUpdated": "2024-12-16T16:34:56.373Z",
+      "digest": "9d6bd4f38e1a9e09a31e9f3aeb04105e2e72f1f1fc1867491bf246266f1674ca"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:pro:wordpress:*:*"
+        ],
+        "packageName": "advanced-custom-fields",
+        "packageType": "wordpress-plugin",
+        "product": "Advanced Custom Fields PRO",
+        "repo": "https://plugins.svn.wordpress.org/advanced-custom-fields",
+        "vendor": "WPENGINE, INC.",
+        "versions": [
+          {
+            "lessThan": "6.3.2",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-4180.json

@@ -18,6 +18,7 @@
         "packageName": "the-events-calendar",
         "packageType": "wordpress-plugin",
         "product": "The Events Calendar",
+        "repo": "https://plugins.svn.wordpress.org/the-events-calendar",
         "versions": [
           {
             "lessThan": "6.4.0.1",

data/anchore/2024/CVE-2024-5333.json

@@ -0,0 +1,44 @@
+{
+  "additionalMetadata": {
+    "cna": "wpscan",
+    "cveId": "CVE-2024-5333",
+    "description": "The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://wpscan.com/vulnerability/764b5a23-8b51-4882-b899-beb54f684984/"
+    ],
+    "upstream": {
+      "datePublished": "2024-12-16T06:00:05.897Z",
+      "dateReserved": "2024-05-24T18:27:38.074Z",
+      "dateUpdated": "2024-12-16T16:47:55.953Z",
+      "digest": "076e2a0c12a0c884db0981553eb58b7f0ac045250569c1a045284f4be6ade259"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:stellarwp:the_events_calendar:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:tri:the_events_calendar:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "the-events-calendar",
+        "packageType": "wordpress-plugin",
+        "product": "The Events Calendar",
+        "repo": "https://plugins.svn.wordpress.org/the-events-calendar",
+        "versions": [
+          {
+            "lessThan": "6.8.2.1",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-54257.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-54257",
+    "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Molefed allows Reflected XSS.This issue affects tydskrif: from n/a through 1.1.3.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/wordpress/theme/tydskrif/vulnerability/wordpress-tydskrif-theme-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    ],
+    "upstream": {
+      "datePublished": "2024-12-16T15:40:24.007Z",
+      "dateReserved": "2024-12-02T12:03:42.956Z",
+      "dateUpdated": "2024-12-16T16:31:57.921Z",
+      "digest": "e8a481e833630393f074e8ea2e622688be2b709e9bf4361a0f53d5f7af5bd3ac"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/themes",
+        "cpes": [
+          "cpe:2.3:a:ayecode:restaurant_pt:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:wpmole:tydskrif:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "tydskrif",
+        "packageType": "wordpress-theme",
+        "product": "tydskrif",
+        "repo": "https://themes.svn.wordpress.org/tydskrif",
+        "vendor": "Molefed",
+        "versions": [
+          {
+            "lessThanOrEqual": "1.1.3",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-54355.json

@@ -0,0 +1,47 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-54355",
+    "description": "Cross-Site Request Forgery (CSRF) vulnerability in brandtoss WP Mailster allows Cross Site Request Forgery.This issue affects WP Mailster: from n/a through 1.8.17.0.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/wordpress/plugin/wp-mailster/vulnerability/wordpress-wp-mailster-plugin-1-8-17-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update the WordPress WP Mailster wordpress plugin to the latest available version (at least 1.8.18.0)."
+    ],
+    "upstream": {
+      "datePublished": "2024-12-16T14:14:13.158Z",
+      "dateReserved": "2024-12-02T12:05:27.399Z",
+      "dateUpdated": "2024-12-16T19:47:41.787Z",
+      "digest": "7c2be65435b8ced13768a5e69f08fd9f97de567b85e4f2d34584a535ac12a902"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:wpmailster:wp_mailster:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "wp-mailster",
+        "packageType": "wordpress-plugin",
+        "product": "WP Mailster",
+        "repo": "https://plugins.svn.wordpress.org/wp-mailster",
+        "vendor": "brandtoss",
+        "versions": [
+          {
+            "lessThanOrEqual": "1.8.17.0",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}