diff --git a/data/anchore/2024/CVE-2024-22303.json b/data/anchore/2024/CVE-2024-22303.json new file mode 100644 index 00000000..9af7d21c --- /dev/null +++ b/data/anchore/2024/CVE-2024-22303.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-22303", + "description": "Incorrect Privilege Assignment vulnerability in favethemes Houzez houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4.", + "needsReview": true, + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/houzez/wordpress-houzez-theme-3-2-4-privilege-escalation-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 3.3.0 or a higher version." + ], + "toDos": [ + "Check update from Patchstack on which package this should refer to. There are currently multiple seemingly unrelated records pointing to it" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/themes", + "cpes": [ + "cpe:2.3:a:favethemes:houzez:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "houzez", + "packageType": "wordpress-theme", + "product": "Houzez", + "repo": "https://themes.svn.wordpress.org/houzez", + "vendor": "favethemes", + "versions": [ + { + "lessThan": "3.3.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-38523.json b/data/anchore/2024/CVE-2024-38523.json new file mode 100644 index 00000000..d35b7466 --- /dev/null +++ b/data/anchore/2024/CVE-2024-38523.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-38523", + "description": "Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/scidsg/hushline/pull/376", + "https://github.com/scidsg/hushline/security/advisories/GHSA-4c38-hhxx-9mhx" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:hushline:hush_line:*:*:*:*:*:*:*:*" + ], + "packageName": "scidsg/hushline", + "product": "hushline", + "repo": "https://github.com/scidsg/hushline", + "vendor": "scidsg", + "versions": [ + { + "lessThan": "0.1.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43938.json b/data/anchore/2024/CVE-2024-43938.json new file mode 100644 index 00000000..e670a66f --- /dev/null +++ b/data/anchore/2024/CVE-2024-43938.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43938", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jeroen Peters Name Directory allows Reflected XSS.This issue affects Name Directory: from n/a through 1.29.0.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/name-directory/wordpress-name-directory-plugin-1-29-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.29.1 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:name_directory_project:name_directory:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "name-directory", + "packageType": "wordpress-plugin", + "product": "Name Directory", + "repo": "https://plugins.svn.wordpress.org/name-directory", + "vendor": "Jeroen Peters", + "versions": [ + { + "lessThan": "1.29.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f9f72f-01f4-47db-8efd-f25f0276896f?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43969.json b/data/anchore/2024/CVE-2024-43969.json new file mode 100644 index 00000000..f61f163b --- /dev/null +++ b/data/anchore/2024/CVE-2024-43969.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43969", + "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spiffy Plugins Spiffy Calendar allows SQL Injection.This issue affects Spiffy Calendar: from n/a through 4.9.12.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-12-sql-injection-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 4.9.13 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:spiffyplugins:spiffy_calendar:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "spiffy-calendar", + "packageType": "wordpress-plugin", + "product": "Spiffy Calendar", + "repo": "https://plugins.svn.wordpress.org/spiffy-calendar", + "vendor": "Spiffy Plugins", + "versions": [ + { + "lessThan": "4.9.13", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43970.json b/data/anchore/2024/CVE-2024-43970.json new file mode 100644 index 00000000..6d084e2d --- /dev/null +++ b/data/anchore/2024/CVE-2024-43970.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43970", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SureCart allows Reflected XSS.This issue affects SureCart: from n/a through 2.29.3.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/surecart/wordpress-surecart-plugin-2-29-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 2.29.4 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:surecart:surecart:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "surecart", + "packageType": "wordpress-plugin", + "product": "SureCart", + "repo": "https://plugins.svn.wordpress.org/surecart", + "vendor": "SureCart", + "versions": [ + { + "lessThan": "2.29.4", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f2fdc9d-891e-49c6-9427-620772336854?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43971.json b/data/anchore/2024/CVE-2024-43971.json new file mode 100644 index 00000000..aa7fbc0c --- /dev/null +++ b/data/anchore/2024/CVE-2024-43971.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43971", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Sunshine Sunshine Photo Cart allows Reflected XSS.This issue affects Sunshine Photo Cart: from n/a through 3.2.5.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/sunshine-photo-cart/wordpress-sunshine-photo-cart-free-client-photo-galleries-for-photographers-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 3.2.6 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:sunshinephotocart:sunshine_photo_cart:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "sunshine-photo-cart", + "packageType": "wordpress-plugin", + "product": "Sunshine Photo Cart", + "repo": "https://plugins.svn.wordpress.org/sunshine-photo-cart", + "vendor": "WP Sunshine", + "versions": [ + { + "lessThan": "3.2.6", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb99654-c0f4-4c75-9b9d-f3075db623fc?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43972.json b/data/anchore/2024/CVE-2024-43972.json new file mode 100644 index 00000000..cf8f7f1a --- /dev/null +++ b/data/anchore/2024/CVE-2024-43972.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43972", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pagelayer Team PageLayer allows Stored XSS.This issue affects PageLayer: from n/a through 1.8.7.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/pagelayer/wordpress-page-builder-pagelayer-drag-and-drop-website-builder-plugin-1-8-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.8.8 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:pagelayer:pagelayer:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "pagelayer", + "packageType": "wordpress-plugin", + "product": "PageLayer", + "repo": "https://plugins.svn.wordpress.org/pagelayer", + "vendor": "Pagelayer Team", + "versions": [ + { + "lessThan": "1.8.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09ac7546-0572-4446-99f7-fe84f76fac9b?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43975.json b/data/anchore/2024/CVE-2024-43975.json new file mode 100644 index 00000000..f6c261e6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43975.json @@ -0,0 +1,44 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43975", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in highwarden Super Store Finder allows Cross-Site Scripting (XSS).This issue affects Super Store Finder: from n/a through 6.9.7.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/superstorefinder-wp/wordpress-super-store-finder-plugin-6-9-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 6.9.8 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:*:*:*" + ], + "packageName": "superstorefinder-wp", + "packageType": "wordpress-plugin", + "product": "Super Store Finder", + "vendor": "highwarden", + "versions": [ + { + "lessThan": "6.9.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cba9501-2eb1-4702-889c-d0f4777e72e9?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43976.json b/data/anchore/2024/CVE-2024-43976.json new file mode 100644 index 00000000..85779832 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43976.json @@ -0,0 +1,44 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43976", + "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder allows SQL Injection.This issue affects Super Store Finder: from n/a through 6.9.7.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/superstorefinder-wp/wordpress-super-store-finder-plugin-6-9-7-sql-injection-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 6.9.8 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:*:*:*" + ], + "packageName": "superstorefinder-wp", + "packageType": "wordpress-plugin", + "product": "Super Store Finder", + "vendor": "highwarden", + "versions": [ + { + "lessThan": "6.9.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/28e4cc53-53c3-47bf-8ea4-818040d10abd?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43977.json b/data/anchore/2024/CVE-2024-43977.json new file mode 100644 index 00000000..410b45be --- /dev/null +++ b/data/anchore/2024/CVE-2024-43977.json @@ -0,0 +1,47 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43977", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.6.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/the-plus-addons-for-elementor-page-builder/wordpress-the-plus-addons-for-elementor-plugin-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 5.6.3 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:free:wordpress:*:*", + "cpe:2.3:a:posimyth:the_plus_addons_for_elementor_page_builder_lite:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "the-plus-addons-for-elementor-page-builder", + "packageType": "wordpress-plugin", + "product": "The Plus Addons for Elementor Page Builder Lite", + "repo": "https://plugins.svn.wordpress.org/the-plus-addons-for-elementor-page-builder", + "vendor": "POSIMYTH", + "versions": [ + { + "lessThan": "5.6.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4fdfc83-cce9-4c87-88f2-331be081b32c?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43978.json b/data/anchore/2024/CVE-2024-43978.json new file mode 100644 index 00000000..4e443152 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43978.json @@ -0,0 +1,44 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43978", + "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder allows SQL Injection.This issue affects Super Store Finder: from n/a before 6.9.8.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/superstorefinder-wp/wordpress-super-store-finder-plugin-6-9-8-sql-injection-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 6.9.8 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:*:*:*" + ], + "packageName": "superstorefinder-wp", + "packageType": "wordpress-plugin", + "product": "Super Store Finder", + "vendor": "highwarden", + "versions": [ + { + "lessThan": "6.9.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8df5c412-e995-411f-94a9-afd7f9941125?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43983.json b/data/anchore/2024/CVE-2024-43983.json new file mode 100644 index 00000000..0aedbc36 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43983.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43983", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Podlove Podlove Podcast Publisher allows Stored XSS.This issue affects Podlove Podcast Publisher: from n/a through 4.1.13.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/podlove-podcasting-plugin-for-wordpress/wordpress-podlove-podcast-publisher-plugin-4-1-13-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 4.1.14 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:podlove:podlove_podcast_publisher:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "podlove-podcasting-plugin-for-wordpress", + "packageType": "wordpress-plugin", + "product": "Podlove Podcast Publisher", + "repo": "https://plugins.svn.wordpress.org/podlove-podcasting-plugin-for-wordpress", + "vendor": "Podlove", + "versions": [ + { + "lessThan": "4.1.14", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64b7985e-bb35-4648-8159-4424661b52a9?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43985.json b/data/anchore/2024/CVE-2024-43985.json new file mode 100644 index 00000000..fab82d82 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43985.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43985", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MagePeople Team Bus Ticket Booking with Seat Reservation allows Stored XSS.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through 5.3.5.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/bus-ticket-booking-with-seat-reservation/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 5.3.6 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:mage-people:bus_ticket_booking_with_seat_reservation:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "bus-ticket-booking-with-seat-reservation", + "packageType": "wordpress-plugin", + "product": "Bus Ticket Booking with Seat Reservation", + "repo": "https://plugins.svn.wordpress.org/bus-ticket-booking-with-seat-reservation", + "vendor": "MagePeople Team", + "versions": [ + { + "lessThan": "5.3.6", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffc92f28-02bd-48b3-b803-b67feab74db2?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-43999.json b/data/anchore/2024/CVE-2024-43999.json new file mode 100644 index 00000000..bd9af4a6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-43999.json @@ -0,0 +1,47 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-43999", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.11.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-8-11-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 3.8.12 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:ninjaforms:contact_form:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "ninja-forms", + "packageType": "wordpress-plugin", + "product": "Ninja Forms", + "repo": "https://plugins.svn.wordpress.org/ninja-forms", + "vendor": "Saturday Drive", + "versions": [ + { + "lessThan": "3.8.12", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c6f5f8c-7a8c-4524-8cb8-e14a6f182bbf?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44001.json b/data/anchore/2024/CVE-2024-44001.json new file mode 100644 index 00000000..92c17474 --- /dev/null +++ b/data/anchore/2024/CVE-2024-44001.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44001", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.3.982.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-and-templates-plugin-1-3-982-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.3.985 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "royal-elementor-addons", + "packageType": "wordpress-plugin", + "product": "Royal Elementor Addons", + "repo": "https://plugins.svn.wordpress.org/royal-elementor-addons", + "vendor": "WP Royal", + "versions": [ + { + "lessThan": "1.3.985", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4529464e-6830-4c2a-8146-79cf5fc1bc7c?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44002.json b/data/anchore/2024/CVE-2024-44002.json new file mode 100644 index 00000000..da9c99a6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-44002.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44002", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Reflected XSS.This issue affects Team Showcase: from n/a through 1.22.25.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/team/wordpress-team-showcase-plugin-1-22-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:pickplugins:team_showcase:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "team", + "packageType": "wordpress-plugin", + "product": "Team Showcase", + "repo": "https://plugins.svn.wordpress.org/team", + "vendor": "PickPlugins", + "versions": [ + { + "lessThanOrEqual": "1.22.25", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44004.json b/data/anchore/2024/CVE-2024-44004.json new file mode 100644 index 00000000..016e5ccb --- /dev/null +++ b/data/anchore/2024/CVE-2024-44004.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44004", + "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPTaskForce WPCargo Track & Trace allows SQL Injection.This issue affects WPCargo Track & Trace: from n/a through 7.0.6.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/wpcargo/wordpress-wpcargo-track-trace-plugin-7-0-6-sql-injection-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wptaskforce:track_\\&_trace:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wpcargo", + "packageType": "wordpress-plugin", + "product": "WPCargo Track & Trace", + "repo": "https://plugins.svn.wordpress.org/wpcargo", + "vendor": "WPTaskForce", + "versions": [ + { + "lessThanOrEqual": "7.0.6", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44005.json b/data/anchore/2024/CVE-2024-44005.json new file mode 100644 index 00000000..054d06c1 --- /dev/null +++ b/data/anchore/2024/CVE-2024-44005.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44005", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Stored XSS.This issue affects Greenshift – animation and page builder blocks: from n/a through 9.3.7.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/greenshift-animation-and-page-builder-blocks/wordpress-greenshift-animation-and-page-builder-blocks-plugin-9-3-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 9.4 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:greenshiftwp:greenshift_-_animation_and_page_builder_blocks:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "greenshift-animation-and-page-builder-blocks", + "packageType": "wordpress-plugin", + "product": "Greenshift – animation and page builder blocks", + "repo": "https://plugins.svn.wordpress.org/greenshift-animation-and-page-builder-blocks", + "vendor": "Wpsoul", + "versions": [ + { + "lessThan": "9.4", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44008.json b/data/anchore/2024/CVE-2024-44008.json new file mode 100644 index 00000000..65a24d1f --- /dev/null +++ b/data/anchore/2024/CVE-2024-44008.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44008", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS.This issue affects Geo Mashup: from n/a through 1.13.12.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/geo-mashup/wordpress-geo-mashup-plugin-1-13-12-cross-site-scripting-xss-vulnerability?_s_id=cve" + ], + "solutions": [ + "Update to 1.13.13 or a higher version." + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:geo_mashup_project:geo_mashup:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "geo-mashup", + "packageType": "wordpress-plugin", + "product": "Geo Mashup", + "repo": "https://plugins.svn.wordpress.org/geo-mashup", + "vendor": "Dylan Kuhn", + "versions": [ + { + "lessThan": "1.13.13", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44009.json b/data/anchore/2024/CVE-2024-44009.json new file mode 100644 index 00000000..7cf476e3 --- /dev/null +++ b/data/anchore/2024/CVE-2024-44009.json @@ -0,0 +1,38 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44009", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WC Lovers WCFM Marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through 3.6.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/wc-multivendor-marketplace/wordpress-wcfm-marketplace-3-6-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wclovers:wcfm_marketplace:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wc-multivendor-marketplace", + "packageType": "wordpress-plugin", + "product": "WCFM Marketplace", + "repo": "https://plugins.svn.wordpress.org/wc-multivendor-marketplace", + "vendor": "WC Lovers", + "versions": [ + { + "lessThanOrEqual": "3.6.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44047.json b/data/anchore/2024/CVE-2024-44047.json new file mode 100644 index 00000000..d58da08f --- /dev/null +++ b/data/anchore/2024/CVE-2024-44047.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44047", + "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in IDX Broker IMPress for IDX Broker allows Stored XSS.This issue affects IMPress for IDX Broker: from n/a through 3.2.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/idx-broker-platinum/wordpress-impress-for-idx-broker-plugin-3-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:idxbroker:idx_broker:*:*:*:*:platinum:wordpress:*:*", + "cpe:2.3:a:idxbroker:impress_for_idx_broker:*:*:*:*:platinum:wordpress:*:*" + ], + "packageName": "idx-broker-platinum", + "packageType": "wordpress-plugin", + "product": "IMPress for IDX Broker", + "repo": "https://plugins.svn.wordpress.org/idx-broker-platinum", + "vendor": "IDX Broker", + "versions": [ + { + "lessThanOrEqual": "3.2.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-44064.json b/data/anchore/2024/CVE-2024-44064.json new file mode 100644 index 00000000..734d9f5a --- /dev/null +++ b/data/anchore/2024/CVE-2024-44064.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "patchstack", + "cveId": "CVE-2024-44064", + "description": "Cross-Site Request Forgery (CSRF) vulnerability in LikeBtn Like Button Rating allows Cross-Site Scripting (XSS).This issue affects Like Button Rating: from n/a through 2.6.54.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://patchstack.com/database/vulnerability/likebtn-like-button/wordpress-like-button-rating-likebtn-plugin-2-6-53-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:likebtn:like_button_rating:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "likebtn-like-button", + "packageType": "wordpress-plugin", + "product": "Like Button Rating", + "repo": "https://plugins.svn.wordpress.org/likebtn-like-button", + "vendor": "LikeBtn", + "versions": [ + { + "lessThanOrEqual": "2.6.54", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b3d39be-83de-46e7-9eab-57c1e94ab59a?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45384.json b/data/anchore/2024/CVE-2024-45384.json new file mode 100644 index 00000000..a51b2f2a --- /dev/null +++ b/data/anchore/2024/CVE-2024-45384.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-45384", + "description": "Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.\nThis could allow an attacker to manipulate a pac4j session cookie.\n\nThis issue affects Apache Druid versions 0.18.0 through 30.0.0.\nSince the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.\n\nWhile we are not aware of a way to meaningfully exploit this flaw, we \nnevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue\nand ensuring you have a strong \ndruid.auth.pac4j.cookiePassphrase as a precaution.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:org.apache.druid.extensions:druid-pac4j:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.druid.extensions:druid-pac4j", + "packageType": "maven", + "product": "Apache Druid", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "30.0.1", + "status": "affected", + "version": "0.18.0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45398.json b/data/anchore/2024/CVE-2024-45398.json new file mode 100644 index 00000000..b0b32f81 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45398.json @@ -0,0 +1,52 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45398", + "description": "Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads", + "https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://packagist.org", + "cpes": [ + "cpe:2.3:a:contao:contao:*:*:*:*:*:php:*:*", + "cpe:2.3:a:contao:contao_cms:*:*:*:*:*:php:*:*" + ], + "packageName": "contao/core-bundle", + "packageType": "php-composer", + "product": "contao", + "repo": "https://github.com/contao/contao", + "vendor": "contao", + "versions": [ + { + "lessThan": "4.13.49", + "status": "affected", + "version": "4.0.0", + "versionType": "custom" + }, + { + "lessThan": "5.3.15", + "status": "affected", + "version": "5.0.0", + "versionType": "custom" + }, + { + "lessThan": "5.4.3", + "status": "affected", + "version": "5.4.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45537.json b/data/anchore/2024/CVE-2024-45537.json new file mode 100644 index 00000000..d3126a4c --- /dev/null +++ b/data/anchore/2024/CVE-2024-45537.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-45537", + "description": "Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.\n\nUsers without the permission to configure JDBC connections are not able to exploit this vulnerability.\nCVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.\n\nThis issue is fixed in Apache Druid 30.0.1.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:org.apache.druid.extensions:druid-lookups-cached-global:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.druid.extensions:druid-lookups-cached-global", + "packageType": "maven", + "product": "Apache Druid", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "30.0.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45604.json b/data/anchore/2024/CVE-2024-45604.json new file mode 100644 index 00000000..771b51dc --- /dev/null +++ b/data/anchore/2024/CVE-2024-45604.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45604", + "description": "Contao is an Open Source CMS. In affected versions authenticated users in the back end can list files outside the document root in the file selector widget. Users are advised to update to Contao 4.13.49. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget", + "https://github.com/contao/contao/security/advisories/GHSA-4p75-5p53-65m9" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://packagist.org", + "cpes": [ + "cpe:2.3:a:contao:contao:*:*:*:*:*:php:*:*", + "cpe:2.3:a:contao:contao_cms:*:*:*:*:*:php:*:*" + ], + "packageName": "contao/core-bundle", + "packageType": "php-composer", + "product": "contao", + "repo": "https://github.com/contao/contao", + "vendor": "contao", + "versions": [ + { + "lessThan": "4.13.49", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45605.json b/data/anchore/2024/CVE-2024-45605.json new file mode 100644 index 00000000..884430ff --- /dev/null +++ b/data/anchore/2024/CVE-2024-45605.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45605", + "description": "Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/getsentry/self-hosted", + "https://github.com/getsentry/sentry/pull/77093", + "https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pypi.org", + "cpes": [ + "cpe:2.3:a:sentry:sentry:*:*:*:*:*:python:*:*" + ], + "packageName": "sentry", + "packageType": "python", + "product": "sentry", + "repo": "https://github.com/getsentry/sentry", + "vendor": "getsentry", + "versions": [ + { + "lessThan": "24.9.0", + "status": "affected", + "version": "23.9.0", + "versionType": "python" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45606.json b/data/anchore/2024/CVE-2024-45606.json new file mode 100644 index 00000000..7deac537 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45606.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45606", + "description": "Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user can mute alert rules from arbitrary organizations and projects with a know rule ID. The user does not need to be a member of the organization or have permissions on the project. In our review, we have identified no instances where alerts have been muted by unauthorized parties. A patch was issued to ensure authorization checks are properly scoped on requests to mute alert rules. Authenticated users who do not have the necessary permissions are no longer able to mute alerts. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version **24.9.0** or higher. The rule mute feature was generally available as of 23.6.0 but users with early access may have had the feature as of 23.4.0. Affected users are advised to upgrade to version 24.9.0. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/getsentry/self-hosted", + "https://github.com/getsentry/sentry/pull/77016", + "https://github.com/getsentry/sentry/security/advisories/GHSA-v345-w9f2-mpm5" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pypi.org", + "cpes": [ + "cpe:2.3:a:sentry:sentry:*:*:*:*:*:python:*:*" + ], + "packageName": "sentry", + "packageType": "python", + "product": "sentry", + "repo": "https://github.com/getsentry/sentry", + "vendor": "getsentry", + "versions": [ + { + "lessThan": "24.9.0", + "status": "affected", + "version": "23.4.0", + "versionType": "python" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45612.json b/data/anchore/2024/CVE-2024-45612.json new file mode 100644 index 00000000..d2b0cdac --- /dev/null +++ b/data/anchore/2024/CVE-2024-45612.json @@ -0,0 +1,52 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45612", + "description": "Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls", + "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://packagist.org", + "cpes": [ + "cpe:2.3:a:contao:contao:*:*:*:*:*:php:*:*", + "cpe:2.3:a:contao:contao_cms:*:*:*:*:*:php:*:*" + ], + "packageName": "contao/core-bundle", + "packageType": "php-composer", + "product": "contao", + "repo": "https://github.com/contao/contao", + "vendor": "contao", + "versions": [ + { + "lessThan": "4.13.49", + "status": "affected", + "version": "4.13.0", + "versionType": "custom" + }, + { + "lessThan": "5.3.15", + "status": "affected", + "version": "5.0.0", + "versionType": "custom" + }, + { + "lessThan": "5.4.3", + "status": "affected", + "version": "5.4.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45811.json b/data/anchore/2024/CVE-2024-45811.json new file mode 100644 index 00000000..4fc571c4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45811.json @@ -0,0 +1,63 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45811", + "description": "Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34", + "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://registry.npmjs.org", + "cpes": [ + "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*" + ], + "packageName": "vite", + "packageType": "npm", + "product": "vite", + "repo": "https://github.com/vitejs/vite", + "vendor": "vitejs", + "versions": [ + { + "lessThan": "5.4.6", + "status": "affected", + "version": "5.4.0", + "versionType": "custom" + }, + { + "lessThan": "5.3.6", + "status": "affected", + "version": "5.3.0", + "versionType": "custom" + }, + { + "lessThan": "5.2.14", + "status": "affected", + "version": "5.0.0", + "versionType": "custom" + }, + { + "lessThan": "4.5.5", + "status": "affected", + "version": "4.0.0", + "versionType": "custom" + }, + { + "lessThan": "3.2.11", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45812.json b/data/anchore/2024/CVE-2024-45812.json new file mode 100644 index 00000000..6ff65dee --- /dev/null +++ b/data/anchore/2024/CVE-2024-45812.json @@ -0,0 +1,66 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45812", + "description": "Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad", + "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3", + "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", + "https://research.securitum.com/xss-in-amp4email-dom-clobbering", + "https://scnps.co/papers/sp23_domclob.pdf" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://registry.npmjs.org", + "cpes": [ + "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*" + ], + "packageName": "vite", + "packageType": "npm", + "product": "vite", + "repo": "https://github.com/vitejs/vite", + "vendor": "vitejs", + "versions": [ + { + "lessThan": "5.4.6", + "status": "affected", + "version": "5.4.0", + "versionType": "custom" + }, + { + "lessThan": "5.3.6", + "status": "affected", + "version": "5.3.0", + "versionType": "custom" + }, + { + "lessThan": "5.2.14", + "status": "affected", + "version": "5.0.0", + "versionType": "custom" + }, + { + "lessThan": "4.5.5", + "status": "affected", + "version": "4.0.0", + "versionType": "custom" + }, + { + "lessThan": "3.2.11", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45815.json b/data/anchore/2024/CVE-2024-45815.json new file mode 100644 index 00000000..d69507bc --- /dev/null +++ b/data/anchore/2024/CVE-2024-45815.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45815", + "description": "Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://registry.npmjs.org", + "cpes": [ + "cpe:2.3:a:linuxfoundation:backstage_plugin-catalog-backend:*:*:*:*:*:node.js:*:*", + "cpe:2.3:a:linuxfoundation:b\\@backstage\\/plugin-catalog-backend:*:*:*:*:*:node.js:*:*" + ], + "packageName": "@backstage/plugin-catalog-backend", + "packageType": "npm", + "product": "backstage plugin catalog backend", + "repo": "https://github.com/backstage/backstage", + "vendor": "backstage", + "versions": [ + { + "lessThan": "1.26.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45816.json b/data/anchore/2024/CVE-2024-45816.json new file mode 100644 index 00000000..1b8894a5 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45816.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45816", + "description": "Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://registry.npmjs.org", + "cpes": [ + "cpe:2.3:a:linuxfoundation:\\@backstage\\/plugin-techdocs-backend:*:*:*:*:*:node.js:*:*", + "cpe:2.3:a:linuxfoundation:backstage_plugin-techdocs-backend:*:*:*:*:*:node.js:*:*" + ], + "packageName": "@backstage/plugin-techdocs-backend", + "packageType": "npm", + "product": "backstage plugin techdocs backend", + "repo": "https://github.com/backstage/backstage", + "vendor": "backstage", + "versions": [ + { + "lessThan": "1.10.13", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-46976.json b/data/anchore/2024/CVE-2024-46976.json new file mode 100644 index 00000000..29d432f6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-46976.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-46976", + "description": "Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://registry.npmjs.org", + "cpes": [ + "cpe:2.3:a:linuxfoundation:\\@backstage\\/plugin-techdocs-backend:*:*:*:*:*:node.js:*:*", + "cpe:2.3:a:linuxfoundation:backstage_plugin-techdocs-backend:*:*:*:*:*:node.js:*:*" + ], + "packageName": "@backstage/plugin-techdocs-backend", + "packageType": "npm", + "product": "backstage plugin techdocs backend", + "repo": "https://github.com/backstage/backstage", + "vendor": "backstage", + "versions": [ + { + "lessThan": "1.10.13", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-46982.json b/data/anchore/2024/CVE-2024-46982.json new file mode 100644 index 00000000..f10c0d30 --- /dev/null +++ b/data/anchore/2024/CVE-2024-46982.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-46982", + "description": "Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3", + "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda", + "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://registry.npmjs.org", + "cpes": [ + "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*" + ], + "packageName": "next", + "packageType": "npm", + "product": "next.js", + "repo": "https://github.com/vercel/next.js", + "vendor": "vercel", + "versions": [ + { + "lessThan": "13.5.7", + "status": "affected", + "version": "13.5.1", + "versionType": "custom" + }, + { + "lessThan": "14.2.10", + "status": "affected", + "version": "14.0.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-7788.json b/data/anchore/2024/CVE-2024-7788.json new file mode 100644 index 00000000..5e94225b --- /dev/null +++ b/data/anchore/2024/CVE-2024-7788.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "document fdn.", + "cveId": "CVE-2024-7788", + "description": "Improper Digital Signature Invalidation  vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://www.libreoffice.org/about-us/security/advisories/CVE-2024-7788" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*" + ], + "product": "LibreOffice", + "vendor": "The Document Foundation", + "versions": [ + { + "lessThan": "24.2.5", + "status": "affected", + "version": "24.2", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8490.json b/data/anchore/2024/CVE-2024-8490.json new file mode 100644 index 00000000..1db7951c --- /dev/null +++ b/data/anchore/2024/CVE-2024-8490.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-8490", + "description": "The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function. This makes it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L1089", + "https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L976", + "https://plugins.trac.wordpress.org/changeset/3152548/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/17c06c83-6707-4233-a1c3-ef4cdcf93982?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wp-property-hive:propertyhive:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "propertyhive", + "packageType": "wordpress-plugin", + "product": "PropertyHive", + "vendor": "propertyhive", + "versions": [ + { + "lessThan": "2.0.20", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8660.json b/data/anchore/2024/CVE-2024-8660.json new file mode 100644 index 00000000..e8d6be5b --- /dev/null +++ b/data/anchore/2024/CVE-2024-8660.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "concretecms", + "cveId": "CVE-2024-8660", + "description": "Concrete CMS versions 9.0.0 through 9.3.3 are affected by a\nstored XSS vulnerability in the \"Top Navigator Bar\" block.\nSince the \"Top Navigator Bar\" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6\nwith vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This\ndoes not affect versions below 9.0.0 since they do not have the Top\nNavigator Bar Block. Thanks, Chu Quoc Khanh for reporting.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", + "https://github.com/concretecms/concretecms/pull/12128" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://packagist.org", + "cpes": [ + "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:php:*:*" + ], + "packageName": "concrete5/concrete5", + "packageType": "php-composer", + "product": "Concrete CMS", + "programFiles": [ + "https://github.com/concretecms/concretecms" + ], + "vendor": "Concrete CMS", + "versions": [ + { + "lessThan": "9.3.4", + "status": "affected", + "version": "9.0.0", + "versionType": "git" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8761.json b/data/anchore/2024/CVE-2024-8761.json new file mode 100644 index 00000000..77b900ac --- /dev/null +++ b/data/anchore/2024/CVE-2024-8761.json @@ -0,0 +1,42 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-8761", + "description": "The Share This Image plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.03. This is due to insufficient validation on the redirect url supplied via the link parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/share-this-image/tags/2.03/assets/js/sti.js#L693", + "https://plugins.trac.wordpress.org/browser/share-this-image/tags/2.03/includes/class-sti-shortlink.php#L64", + "https://plugins.trac.wordpress.org/browser/share-this-image/tags/2.03/includes/class-sti-shortlink.php#L74", + "https://plugins.trac.wordpress.org/changeset/3152564/", + "https://wordpress.org/plugins/share-this-image/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e72d5c7-c601-4775-a825-4786bbd1b5f0?source=cve" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:share_this_image_project:share_this_image:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "share-this-image", + "packageType": "wordpress-plugin", + "product": "Share This Image", + "vendor": "mihail-barinov", + "versions": [ + { + "lessThan": "2.04", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8897.json b/data/anchore/2024/CVE-2024-8897.json new file mode 100644 index 00000000..a4a6f6a8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8897.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "mozilla", + "cveId": "CVE-2024-8897", + "description": "Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site to appear to have the same URL as the trusted site.\n*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 130.0.1.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1862537", + "https://www.mozilla.org/security/advisories/mfsa2024-45/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*" + ], + "product": "Firefox for Android", + "vendor": "Mozilla", + "versions": [ + { + "lessThan": "130.0.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8900.json b/data/anchore/2024/CVE-2024-8900.json new file mode 100644 index 00000000..913940f4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8900.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "mozilla", + "cveId": "CVE-2024-8900", + "description": "An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1872841", + "https://www.mozilla.org/security/advisories/mfsa2024-33/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*" + ], + "product": "Firefox", + "vendor": "Mozilla", + "versions": [ + { + "lessThan": "129", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8904.json b/data/anchore/2024/CVE-2024-8904.json new file mode 100644 index 00000000..238300f2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8904.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-8904", + "description": "Type Confusion in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html", + "https://issues.chromium.org/issues/365376497" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "129.0.6668.58", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8905.json b/data/anchore/2024/CVE-2024-8905.json new file mode 100644 index 00000000..e61d2ebd --- /dev/null +++ b/data/anchore/2024/CVE-2024-8905.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-8905", + "description": "Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html", + "https://issues.chromium.org/issues/359949835" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "129.0.6668.58", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8906.json b/data/anchore/2024/CVE-2024-8906.json new file mode 100644 index 00000000..73f4a870 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8906.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-8906", + "description": "Incorrect security UI in Downloads in Google Chrome prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html", + "https://issues.chromium.org/issues/352681108" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "129.0.6668.58", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8907.json b/data/anchore/2024/CVE-2024-8907.json new file mode 100644 index 00000000..9dda9c74 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8907.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-8907", + "description": "Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity: Medium)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html", + "https://issues.chromium.org/issues/360642942" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "129.0.6668.58", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8908.json b/data/anchore/2024/CVE-2024-8908.json new file mode 100644 index 00000000..36c1ea68 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8908.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-8908", + "description": "Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html", + "https://issues.chromium.org/issues/337222641" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "129.0.6668.58", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8909.json b/data/anchore/2024/CVE-2024-8909.json new file mode 100644 index 00000000..78136f21 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8909.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-8909", + "description": "Inappropriate implementation in UI in Google Chrome on iOS prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html", + "https://issues.chromium.org/issues/341353783" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "129.0.6668.58", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file