updates 2024-09-18

Signed-off-by: Weston Steimel <[email protected]>
anchore · Sep 18, 2024 · e48e284 · e48e284
1 parent 5184478
commit e48e284
Show file tree

Hide file tree

Showing 47 changed files with 1,977 additions and 0 deletions.
diff --git a/data/anchore/2024/CVE-2024-22303.json b/data/anchore/2024/CVE-2024-22303.json
@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-22303",
+    "description": "Incorrect Privilege Assignment vulnerability in favethemes Houzez houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4.",
+    "needsReview": true,
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/houzez/wordpress-houzez-theme-3-2-4-privilege-escalation-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 3.3.0 or a higher version."
+    ],
+    "toDos": [
+      "Check update from Patchstack on which package this should refer to.  There are currently multiple seemingly unrelated records pointing to it"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/themes",
+        "cpes": [
+          "cpe:2.3:a:favethemes:houzez:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "houzez",
+        "packageType": "wordpress-theme",
+        "product": "Houzez",
+        "repo": "https://themes.svn.wordpress.org/houzez",
+        "vendor": "favethemes",
+        "versions": [
+          {
+            "lessThan": "3.3.0",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-38523.json b/data/anchore/2024/CVE-2024-38523.json
@@ -0,0 +1,38 @@
+{
+  "additionalMetadata": {
+    "cna": "github_m",
+    "cveId": "CVE-2024-38523",
+    "description": "Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://github.com/scidsg/hushline/pull/376",
+      "https://github.com/scidsg/hushline/security/advisories/GHSA-4c38-hhxx-9mhx"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://github.com",
+        "cpes": [
+          "cpe:2.3:a:hushline:hush_line:*:*:*:*:*:*:*:*"
+        ],
+        "packageName": "scidsg/hushline",
+        "product": "hushline",
+        "repo": "https://github.com/scidsg/hushline",
+        "vendor": "scidsg",
+        "versions": [
+          {
+            "lessThan": "0.1.0",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-43938.json b/data/anchore/2024/CVE-2024-43938.json
@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-43938",
+    "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jeroen Peters Name Directory allows Reflected XSS.This issue affects Name Directory: from n/a through 1.29.0.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/name-directory/wordpress-name-directory-plugin-1-29-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 1.29.1 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:name_directory_project:name_directory:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "name-directory",
+        "packageType": "wordpress-plugin",
+        "product": "Name Directory",
+        "repo": "https://plugins.svn.wordpress.org/name-directory",
+        "vendor": "Jeroen Peters",
+        "versions": [
+          {
+            "lessThan": "1.29.1",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f9f72f-01f4-47db-8efd-f25f0276896f?source=cve"
+      }
+    ]
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-43969.json b/data/anchore/2024/CVE-2024-43969.json
@@ -0,0 +1,41 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-43969",
+    "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spiffy Plugins Spiffy Calendar allows SQL Injection.This issue affects Spiffy Calendar: from n/a through 4.9.12.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-12-sql-injection-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 4.9.13 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:spiffyplugins:spiffy_calendar:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "spiffy-calendar",
+        "packageType": "wordpress-plugin",
+        "product": "Spiffy Calendar",
+        "repo": "https://plugins.svn.wordpress.org/spiffy-calendar",
+        "vendor": "Spiffy Plugins",
+        "versions": [
+          {
+            "lessThan": "4.9.13",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-43970.json b/data/anchore/2024/CVE-2024-43970.json
@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-43970",
+    "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SureCart allows Reflected XSS.This issue affects SureCart: from n/a through 2.29.3.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/surecart/wordpress-surecart-plugin-2-29-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 2.29.4 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:surecart:surecart:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "surecart",
+        "packageType": "wordpress-plugin",
+        "product": "SureCart",
+        "repo": "https://plugins.svn.wordpress.org/surecart",
+        "vendor": "SureCart",
+        "versions": [
+          {
+            "lessThan": "2.29.4",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f2fdc9d-891e-49c6-9427-620772336854?source=cve"
+      }
+    ]
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-43971.json b/data/anchore/2024/CVE-2024-43971.json
@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-43971",
+    "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Sunshine Sunshine Photo Cart allows Reflected XSS.This issue affects Sunshine Photo Cart: from n/a through 3.2.5.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/sunshine-photo-cart/wordpress-sunshine-photo-cart-free-client-photo-galleries-for-photographers-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 3.2.6 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:sunshinephotocart:sunshine_photo_cart:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "sunshine-photo-cart",
+        "packageType": "wordpress-plugin",
+        "product": "Sunshine Photo Cart",
+        "repo": "https://plugins.svn.wordpress.org/sunshine-photo-cart",
+        "vendor": "WP Sunshine",
+        "versions": [
+          {
+            "lessThan": "3.2.6",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb99654-c0f4-4c75-9b9d-f3075db623fc?source=cve"
+      }
+    ]
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-43972.json b/data/anchore/2024/CVE-2024-43972.json
@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-43972",
+    "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pagelayer Team PageLayer allows Stored XSS.This issue affects PageLayer: from n/a through 1.8.7.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/pagelayer/wordpress-page-builder-pagelayer-drag-and-drop-website-builder-plugin-1-8-7-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 1.8.8 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:pagelayer:pagelayer:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "pagelayer",
+        "packageType": "wordpress-plugin",
+        "product": "PageLayer",
+        "repo": "https://plugins.svn.wordpress.org/pagelayer",
+        "vendor": "Pagelayer Team",
+        "versions": [
+          {
+            "lessThan": "1.8.8",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09ac7546-0572-4446-99f7-fe84f76fac9b?source=cve"
+      }
+    ]
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-43975.json b/data/anchore/2024/CVE-2024-43975.json
@@ -0,0 +1,44 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-43975",
+    "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in highwarden Super Store Finder allows Cross-Site Scripting (XSS).This issue affects Super Store Finder: from n/a through 6.9.7.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/superstorefinder-wp/wordpress-super-store-finder-plugin-6-9-7-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 6.9.8 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:*:*:*"
+        ],
+        "packageName": "superstorefinder-wp",
+        "packageType": "wordpress-plugin",
+        "product": "Super Store Finder",
+        "vendor": "highwarden",
+        "versions": [
+          {
+            "lessThan": "6.9.8",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cba9501-2eb1-4702-889c-d0f4777e72e9?source=cve"
+      }
+    ]
+  }
+}