From 2f32f082d6a5eca797c1c1340543442d24503fc2 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Thu, 5 Dec 2024 10:08:52 +0000 Subject: [PATCH] updates 2024-12-05 Signed-off-by: Weston Steimel --- data/anchore/2024/CVE-2024-10262.json | 3 +- data/anchore/2024/CVE-2024-10567.json | 39 ++++ data/anchore/2024/CVE-2024-10587.json | 38 ++++ data/anchore/2024/CVE-2024-10787.json | 39 ++++ data/anchore/2024/CVE-2024-10885.json | 40 ++++ data/anchore/2024/CVE-2024-10952.json | 41 ++++ data/anchore/2024/CVE-2024-11769.json | 39 ++++ data/anchore/2024/CVE-2024-11952.json | 39 ++++ data/anchore/2024/CVE-2024-5020.json | 300 ++++++++++++++++++++++++++ data/anchore/2024/CVE-2024-54002.json | 39 ++++ data/anchore/2024/CVE-2024-54132.json | 39 ++++ data/anchore/2024/CVE-2024-54153.json | 34 +++ data/anchore/2024/CVE-2024-54154.json | 34 +++ data/anchore/2024/CVE-2024-54155.json | 34 +++ data/anchore/2024/CVE-2024-54156.json | 34 +++ data/anchore/2024/CVE-2024-54157.json | 34 +++ data/anchore/2024/CVE-2024-54158.json | 34 +++ 17 files changed, 859 insertions(+), 1 deletion(-) create mode 100644 data/anchore/2024/CVE-2024-10567.json create mode 100644 data/anchore/2024/CVE-2024-10587.json create mode 100644 data/anchore/2024/CVE-2024-10787.json create mode 100644 data/anchore/2024/CVE-2024-10885.json create mode 100644 data/anchore/2024/CVE-2024-10952.json create mode 100644 data/anchore/2024/CVE-2024-11769.json create mode 100644 data/anchore/2024/CVE-2024-11952.json create mode 100644 data/anchore/2024/CVE-2024-5020.json create mode 100644 data/anchore/2024/CVE-2024-54002.json create mode 100644 data/anchore/2024/CVE-2024-54132.json create mode 100644 data/anchore/2024/CVE-2024-54153.json create mode 100644 data/anchore/2024/CVE-2024-54154.json create mode 100644 data/anchore/2024/CVE-2024-54155.json create mode 100644 data/anchore/2024/CVE-2024-54156.json create mode 100644 data/anchore/2024/CVE-2024-54157.json create mode 100644 data/anchore/2024/CVE-2024-54158.json diff --git a/data/anchore/2024/CVE-2024-10262.json b/data/anchore/2024/CVE-2024-10262.json index f5af264c..792a687a 100644 --- a/data/anchore/2024/CVE-2024-10262.json +++ b/data/anchore/2024/CVE-2024-10262.json @@ -21,10 +21,11 @@ "packageName": "drop-shadow-boxes", "packageType": "wordpress-plugin", "product": "Drop Shadow Boxes", + "repo": "https://plugins.svn.wordpress.org/drop-shadow-boxes", "vendor": "stevehenty", "versions": [ { - "lessThanOrEqual": "1.7.14", + "lessThan": "1.7.15", "status": "affected", "version": "0", "versionType": "semver" diff --git a/data/anchore/2024/CVE-2024-10567.json b/data/anchore/2024/CVE-2024-10567.json new file mode 100644 index 00000000..c88abe8c --- /dev/null +++ b/data/anchore/2024/CVE-2024-10567.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10567", + "description": "The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3199516/ti-woocommerce-wishlist", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a5f2e1a-2216-4885-9b74-a08142816f2b?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:templateinvaders:ti_woocommerce_wishlist:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "ti-woocommerce-wishlist", + "packageType": "wordpress-plugin", + "product": "TI WooCommerce Wishlist", + "repo": "https://plugins.svn.wordpress.org/ti-woocommerce-wishlist", + "vendor": "templateinvaders", + "versions": [ + { + "lessThan": "2.9.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10587.json b/data/anchore/2024/CVE-2024-10587.json new file mode 100644 index 00000000..a6c7b211 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10587.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10587", + "description": "The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.7.4.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wordpress.org/plugins/funnelforms-free/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/701e6afe-08fa-49c7-a6da-cb266db07c48?source=cve" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:funnelforms:funnelforms:*:*:*:*:free:wordpress:*:*" + ], + "packageName": "funnelforms-free", + "packageType": "wordpress-plugin", + "product": "Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free", + "repo": "https://plugins.svn.wordpress.org/funnelforms-free", + "vendor": "funnelforms", + "versions": [ + { + "lessThanOrEqual": "3.7.4.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10787.json b/data/anchore/2024/CVE-2024-10787.json new file mode 100644 index 00000000..da441954 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10787.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10787", + "description": "The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created by Elementor that they should not have access to.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3198563%40lastudio-element-kit&new=3198563%40lastudio-element-kit&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e63c0fb-7fe7-42f7-8fa9-ec159d3c8117?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:la-studioweb:element_kit_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "lastudio-element-kit", + "packageType": "wordpress-plugin", + "product": "LA-Studio Element Kit for Elementor", + "repo": "https://plugins.svn.wordpress.org/lastudio-element-kit", + "vendor": "choijun", + "versions": [ + { + "lessThan": "1.4.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10885.json b/data/anchore/2024/CVE-2024-10885.json new file mode 100644 index 00000000..12374aa2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10885.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10885", + "description": "The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and including, 4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/searchiq/tags/4.6/library/shortcode.php#L66", + "https://plugins.trac.wordpress.org/changeset/3198694/searchiq/trunk/library/shortcode.php", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/86e8e16f-9d93-457a-9093-2fd236e51682?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:searchiq:searchiq:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "searchiq", + "packageType": "wordpress-plugin", + "product": "SearchIQ – The Search Solution", + "repo": "https://plugins.svn.wordpress.org/searchiq", + "vendor": "searchiq", + "versions": [ + { + "lessThan": "4.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10952.json b/data/anchore/2024/CVE-2024-10952.json new file mode 100644 index 00000000..e999cca4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10952.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10952", + "description": "The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution via update_authors_list_ajax AJAX action in all versions up to, and including, 2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.4/backend/includes/class-authors-list-item.php#L843", + "https://wordpress.org/plugins/authors-list/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b3cfe0a-dcfb-40f3-ba43-4e838c113010?source=cve", + "https://www.wpkube.com/" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpkube:authors_list:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "authors-list", + "packageType": "wordpress-plugin", + "product": "Authors List", + "repo": "https://plugins.svn.wordpress.org/authors-list", + "vendor": "wpkube", + "versions": [ + { + "lessThanOrEqual": "2.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11769.json b/data/anchore/2024/CVE-2024-11769.json new file mode 100644 index 00000000..8c4133e2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11769.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11769", + "description": "The Flower Delivery by Florist One plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flower-delivery' shortcode in all versions up to, and including, 3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3201180%40flower-delivery-by-florist-one&new=3201180%40flower-delivery-by-florist-one&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/93efae1f-1e4a-48ee-8a69-558c38925250?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:floristone:flower_delivery:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "flower-delivery-by-florist-one", + "packageType": "wordpress-plugin", + "product": "Flower Delivery by Florist One", + "repo": "https://plugins.svn.wordpress.org/flower-delivery-by-florist-one", + "vendor": "floristone", + "versions": [ + { + "lessThan": "3.9.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11952.json b/data/anchore/2024/CVE-2024-11952.json new file mode 100644 index 00000000..6350c8e9 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11952.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11952", + "description": "The Classic Addons – WPBakery Page Builder plugin for WordPress is vulnerable to Limited Local PHP File Inclusion in all versions up to, and including, 3.0 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The vulnerability is limited to PHP files in a Windows environment.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/classic-addons-wpbakery-page-builder-addons/tags/3.1/addons/testimonial-slider-item/testimonial-slider-item.php#L28", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/9645b17e-6a7c-4cdd-ae43-7d2c84b624cc?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "classic-addons-wpbakery-page-builder-addons", + "packageType": "wordpress-plugin", + "product": "Classic Addons – WPBakery Page Builder", + "repo": "https://plugins.svn.wordpress.org/classic-addons-wpbakery-page-builder-addons", + "vendor": "webcodingplace", + "versions": [ + { + "lessThan": "3.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-5020.json b/data/anchore/2024/CVE-2024-5020.json new file mode 100644 index 00000000..529beac1 --- /dev/null +++ b/data/anchore/2024/CVE-2024-5020.json @@ -0,0 +1,300 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-5020", + "description": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3150376/woo-smart-quick-view", + "https://plugins.trac.wordpress.org/changeset/3153081/colibri-page-builder", + "https://plugins.trac.wordpress.org/changeset/3156791/form-maker", + "https://plugins.trac.wordpress.org/changeset/3157076/nextgen-gallery", + "https://plugins.trac.wordpress.org/changeset/3158415/envira-gallery-lite", + "https://plugins.trac.wordpress.org/changeset/3160232/easy-fancybox", + "https://plugins.trac.wordpress.org/changeset/3160432/visual-portfolio", + "https://plugins.trac.wordpress.org/changeset/3161422/fv-wordpress-flowplayer", + "https://plugins.trac.wordpress.org/changeset/3161892/wp-carousel-free", + "https://plugins.trac.wordpress.org/changeset/3169926/accordion-slider", + "https://plugins.trac.wordpress.org/changeset/3173097/responsive-lightbox", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3175577%40getwid%2Ftrunk&old=3119180%40getwid%2Ftrunk&sfp_email=&sfph_mail=", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3186301%40fancybox-for-wordpress%2Ftrunk&old=3058912%40fancybox-for-wordpress%2Ftrunk&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/d99d4b9a-aa09-434d-91a8-7afaa0e8b5db?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpclever:woo_smart_quick_view:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "woo-smart-quick-view", + "packageType": "wordpress-plugin", + "product": "WPC Smart Quick View for WooCommerce", + "repo": "https://plugins.svn.wordpress.org/woo-smart-quick-view", + "vendor": "wpclever", + "versions": [ + { + "lessThan": "4.1.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:imagely:nextgen_gallery:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "nextgen-gallery", + "packageType": "wordpress-plugin", + "product": "Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery", + "repo": "https://plugins.svn.wordpress.org/nextgen-gallery", + "vendor": "imagely", + "versions": [ + { + "lessThan": "3.59.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:bqworks:accordion_slider:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "accordion-slider", + "packageType": "wordpress-plugin", + "product": "Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery", + "repo": "https://plugins.svn.wordpress.org/accordion-slider", + "vendor": "bqworks", + "versions": [ + { + "lessThan": "1.9.13", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:shapedplugin:wp_carousel_free:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wp-carousel-free", + "packageType": "wordpress-plugin", + "product": "Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid", + "repo": "https://plugins.svn.wordpress.org/wp-carousel-free", + "vendor": "ShapedPlugin LLC", + "versions": [ + { + "lessThan": "2.6.9", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "colibri-page-builder", + "packageType": "wordpress-plugin", + "product": "Colibri Page Builder", + "repo": "https://plugins.svn.wordpress.org/colibri-page-builder", + "vendor": "extendthemes", + "versions": [ + { + "lessThan": "1.0.288", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:enviragallery:envira_gallery:*:*:*:*:lite:wordpress:*:*" + ], + "packageName": "envira-gallery-lite", + "packageType": "wordpress-plugin", + "product": "Gallery Plugin for WordPress – Envira Photo Gallery", + "repo": "https://plugins.svn.wordpress.org/envira-gallery-lite", + "vendor": "smub", + "versions": [ + { + "lessThan": "1.8.16", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:10web:form_maker:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:web-dorado:form_maker:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "form-maker", + "packageType": "wordpress-plugin", + "product": "Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder", + "repo": "https://plugins.svn.wordpress.org/form-maker", + "vendor": "10web", + "versions": [ + { + "lessThan": "1.15.28", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:motopress:getwid_-_gutenberg_blocks:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "getwid", + "packageType": "wordpress-plugin", + "product": "Getwid – Gutenberg Blocks", + "repo": "https://plugins.svn.wordpress.org/getwid", + "vendor": "jetmonsters", + "versions": [ + { + "lessThan": "2.0.12", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:firelightwp:firelight_lightbox:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:status301:easy_fancybox:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "easy-fancybox", + "packageType": "wordpress-plugin", + "product": "Firelight Lightbox", + "repo": "https://plugins.svn.wordpress.org/easy-fancybox", + "vendor": "firelightwp", + "versions": [ + { + "lessThan": "2.3.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:dfactory:responsive_lightbox:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "responsive-lightbox", + "packageType": "wordpress-plugin", + "product": "Responsive Lightbox & Gallery", + "repo": "https://plugins.svn.wordpress.org/responsive-lightbox", + "vendor": "dfactory", + "versions": [ + { + "lessThan": "2.4.9", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:colorlib:fancybox:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "fancybox-for-wordpress", + "packageType": "wordpress-plugin", + "product": "FancyBox for WordPress", + "repo": "https://plugins.svn.wordpress.org/fancybox-for-wordpress", + "vendor": "colorlibplugins", + "versions": [ + { + "lessThan": "3.3.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:visualportfolio:visual_portfolio\\,_photo_gallery_\\&_post_grid:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "visual-portfolio", + "packageType": "wordpress-plugin", + "product": "Visual Portfolio, Photo Gallery & Post Grid", + "repo": "https://plugins.svn.wordpress.org/visual-portfolio", + "vendor": "nko", + "versions": [ + { + "lessThan": "3.3.10", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:foliovision:fv_flowplayer_video_player:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "fv-wordpress-flowplayer", + "packageType": "wordpress-plugin", + "product": "FV Flowplayer Video Player", + "repo": "https://plugins.svn.wordpress.org/fv-wordpress-flowplayer", + "vendor": "foliovision", + "versions": [ + { + "lessThan": "7.5.48.7212", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:easysocialfeed:easy_social_feed:*:*:*:*:free:wordpress:*:*" + ], + "packageName": "easy-facebook-likebox", + "packageType": "wordpress-plugin", + "product": "Easy Social Feed", + "repo": "https://plugins.svn.wordpress.org/easy-facebook-likebox", + "vendor": "Easy Social Feed", + "versions": [ + { + "lessThanOrEqual": "6.6.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54002.json b/data/anchore/2024/CVE-2024-54002.json new file mode 100644 index 00000000..8e9a3d69 --- /dev/null +++ b/data/anchore/2024/CVE-2024-54002.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-54002", + "description": "Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9w3m-hm36-w32w" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org", + "cpes": [ + "cpe:2.3:a:owasp:dependency-track:*:*:*:*:*:*:*:*", + "cpe:2.3:a:org.dependencytrack:dependency-track:*:*:*:*:*:*:*:*" + ], + "packageName": "org.dependencytrack:dependency-track", + "packageType": "maven", + "product": "dependency-track", + "repo": "https://github.com/dependencytrack/dependency-track", + "vendor": "DependencyTrack", + "versions": [ + { + "lessThan": "4.12.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54132.json b/data/anchore/2024/CVE-2024-54132.json new file mode 100644 index 00000000..2b48cb26 --- /dev/null +++ b/data/anchore/2024/CVE-2024-54132.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-54132", + "description": "The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932", + "https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:github:cli:*:*:*:*:*:go:*:*" + ], + "packageName": "github.com/cli/cli/v2", + "packageType": "go-module", + "product": "cli", + "repo": "https://github.com/cli/cli", + "vendor": "cli", + "versions": [ + { + "lessThan": "2.63.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54153.json b/data/anchore/2024/CVE-2024-54153.json new file mode 100644 index 00000000..1db507bf --- /dev/null +++ b/data/anchore/2024/CVE-2024-54153.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "jetbrains", + "cveId": "CVE-2024-54153", + "description": "In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://www.jetbrains.com/privacy-security/issues-fixed/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*" + ], + "product": "YouTrack", + "vendor": "JetBrains", + "versions": [ + { + "lessThan": "2024.3.51866", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54154.json b/data/anchore/2024/CVE-2024-54154.json new file mode 100644 index 00000000..815584c7 --- /dev/null +++ b/data/anchore/2024/CVE-2024-54154.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "jetbrains", + "cveId": "CVE-2024-54154", + "description": "In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://www.jetbrains.com/privacy-security/issues-fixed/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*" + ], + "product": "YouTrack", + "vendor": "JetBrains", + "versions": [ + { + "lessThan": "2024.3.51866", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54155.json b/data/anchore/2024/CVE-2024-54155.json new file mode 100644 index 00000000..c62f5d82 --- /dev/null +++ b/data/anchore/2024/CVE-2024-54155.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "jetbrains", + "cveId": "CVE-2024-54155", + "description": "In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://www.jetbrains.com/privacy-security/issues-fixed/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*" + ], + "product": "YouTrack", + "vendor": "JetBrains", + "versions": [ + { + "lessThan": "2024.3.51866", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54156.json b/data/anchore/2024/CVE-2024-54156.json new file mode 100644 index 00000000..6505e0ed --- /dev/null +++ b/data/anchore/2024/CVE-2024-54156.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "jetbrains", + "cveId": "CVE-2024-54156", + "description": "In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://www.jetbrains.com/privacy-security/issues-fixed/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*" + ], + "product": "YouTrack", + "vendor": "JetBrains", + "versions": [ + { + "lessThan": "2024.3.52635", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54157.json b/data/anchore/2024/CVE-2024-54157.json new file mode 100644 index 00000000..7e4e90a8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-54157.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "jetbrains", + "cveId": "CVE-2024-54157", + "description": "In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://www.jetbrains.com/privacy-security/issues-fixed/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*" + ], + "product": "YouTrack", + "vendor": "JetBrains", + "versions": [ + { + "lessThan": "2024.3.52635", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54158.json b/data/anchore/2024/CVE-2024-54158.json new file mode 100644 index 00000000..780e8166 --- /dev/null +++ b/data/anchore/2024/CVE-2024-54158.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "jetbrains", + "cveId": "CVE-2024-54158", + "description": "In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://www.jetbrains.com/privacy-security/issues-fixed/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*" + ], + "product": "YouTrack", + "vendor": "JetBrains", + "versions": [ + { + "lessThan": "2024.3.52635", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file