2 changes (2 new | 0 updated):

- 2 new CVEs: CVE-2024-13457, CVE-2024-13642 - 0 updated CVEs:
CVEProject · Jan 30, 2025 · 6673406 · 6673406
1 parent 1f67696
commit 6673406
Show file tree

Hide file tree

Showing 4 changed files with 211 additions and 48 deletions.
diff --git a/cves/2024/13xxx/CVE-2024-13457.json b/cves/2024/13xxx/CVE-2024-13457.json
@@ -0,0 +1,88 @@
+{
+    "dataType": "CVE_RECORD",
+    "dataVersion": "5.1",
+    "cveMetadata": {
+        "cveId": "CVE-2024-13457",
+        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
+        "state": "PUBLISHED",
+        "assignerShortName": "Wordfence",
+        "dateReserved": "2025-01-16T14:57:20.404Z",
+        "datePublished": "2025-01-30T06:41:07.956Z",
+        "dateUpdated": "2025-01-30T06:41:07.956Z"
+    },
+    "containers": {
+        "cna": {
+            "providerMetadata": {
+                "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
+                "shortName": "Wordfence",
+                "dateUpdated": "2025-01-30T06:41:07.956Z"
+            },
+            "affected": [
+                {
+                    "vendor": "theeventscalendar",
+                    "product": "Event Tickets and Registration",
+                    "versions": [
+                        {
+                            "version": "*",
+                            "status": "affected",
+                            "lessThanOrEqual": "5.18.1",
+                            "versionType": "semver"
+                        }
+                    ],
+                    "defaultStatus": "unaffected"
+                }
+            ],
+            "descriptions": [
+                {
+                    "lang": "en",
+                    "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date."
+                }
+            ],
+            "title": "Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure",
+            "references": [
+                {
+                    "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cc2261a-889e-40ec-8382-48de65b91b34?source=cve"
+                },
+                {
+                    "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3229935%40event-tickets%2Ftags%2F5.18.1.1&old=3227011%40event-tickets%2Ftags%2F5.18.1"
+                }
+            ],
+            "problemTypes": [
+                {
+                    "descriptions": [
+                        {
+                            "lang": "en",
+                            "description": "CWE-284 Improper Access Control",
+                            "cweId": "CWE-284",
+                            "type": "CWE"
+                        }
+                    ]
+                }
+            ],
+            "metrics": [
+                {
+                    "cvssV3_1": {
+                        "version": "3.1",
+                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+                        "baseScore": 5.3,
+                        "baseSeverity": "MEDIUM"
+                    }
+                }
+            ],
+            "credits": [
+                {
+                    "lang": "en",
+                    "type": "finder",
+                    "value": "Whit Taylor"
+                }
+            ],
+            "timeline": [
+                {
+                    "time": "2025-01-29T18:25:56.000+00:00",
+                    "lang": "en",
+                    "value": "Disclosed"
+                }
+            ]
+        }
+    }
+}
diff --git a/cves/2024/13xxx/CVE-2024-13642.json b/cves/2024/13xxx/CVE-2024-13642.json
@@ -0,0 +1,93 @@
+{
+    "dataType": "CVE_RECORD",
+    "dataVersion": "5.1",
+    "cveMetadata": {
+        "cveId": "CVE-2024-13642",
+        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
+        "state": "PUBLISHED",
+        "assignerShortName": "Wordfence",
+        "dateReserved": "2025-01-23T00:53:13.350Z",
+        "datePublished": "2025-01-30T06:41:08.797Z",
+        "dateUpdated": "2025-01-30T06:41:08.797Z"
+    },
+    "containers": {
+        "cna": {
+            "providerMetadata": {
+                "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
+                "shortName": "Wordfence",
+                "dateUpdated": "2025-01-30T06:41:08.797Z"
+            },
+            "affected": [
+                {
+                    "vendor": "jetmonsters",
+                    "product": "Stratum – Elementor Widgets",
+                    "versions": [
+                        {
+                            "version": "*",
+                            "status": "affected",
+                            "lessThanOrEqual": "1.4.7",
+                            "versionType": "semver"
+                        }
+                    ],
+                    "defaultStatus": "unaffected"
+                }
+            ],
+            "descriptions": [
+                {
+                    "lang": "en",
+                    "value": "The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hotspot widget in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
+                }
+            ],
+            "title": "Stratum – Elementor Widgets <= 1.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Vulnerability via Image Hotspot Widget",
+            "references": [
+                {
+                    "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccaee26-277e-4730-8242-9b5e6a281fcc?source=cve"
+                },
+                {
+                    "url": "https://plugins.trac.wordpress.org/changeset/3228058#file6"
+                }
+            ],
+            "problemTypes": [
+                {
+                    "descriptions": [
+                        {
+                            "lang": "en",
+                            "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+                            "cweId": "CWE-79",
+                            "type": "CWE"
+                        }
+                    ]
+                }
+            ],
+            "metrics": [
+                {
+                    "cvssV3_1": {
+                        "version": "3.1",
+                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+                        "baseScore": 6.4,
+                        "baseSeverity": "MEDIUM"
+                    }
+                }
+            ],
+            "credits": [
+                {
+                    "lang": "en",
+                    "type": "finder",
+                    "value": "D.Sim"
+                }
+            ],
+            "timeline": [
+                {
+                    "time": "2025-01-23T00:00:00.000+00:00",
+                    "lang": "en",
+                    "value": "Vendor Notified"
+                },
+                {
+                    "time": "2025-01-29T00:00:00.000+00:00",
+                    "lang": "en",
+                    "value": "Disclosed"
+                }
+            ]
+        }
+    }
+}
diff --git a/cves/delta.json b/cves/delta.json
@@ -1,42 +1,18 @@
 {
-  "fetchTime": "2025-01-30T06:07:48.590Z",
-  "numberOfChanges": 6,
+  "fetchTime": "2025-01-30T06:47:54.588Z",
+  "numberOfChanges": 2,
   "new": [
     {
-      "cveId": "CVE-2024-10309",
-      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10309",
-      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10309.json",
-      "dateUpdated": "2025-01-30T06:00:05.682Z"
+      "cveId": "CVE-2024-13457",
+      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-13457",
+      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/13xxx/CVE-2024-13457.json",
+      "dateUpdated": "2025-01-30T06:41:07.956Z"
     },
     {
-      "cveId": "CVE-2024-12163",
-      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12163",
-      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12163.json",
-      "dateUpdated": "2025-01-30T06:00:08.044Z"
-    },
-    {
-      "cveId": "CVE-2024-12400",
-      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12400",
-      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12400.json",
-      "dateUpdated": "2025-01-30T06:00:09.161Z"
-    },
-    {
-      "cveId": "CVE-2024-12638",
-      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12638",
-      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12638.json",
-      "dateUpdated": "2025-01-30T06:00:09.593Z"
-    },
-    {
-      "cveId": "CVE-2024-12708",
-      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12708",
-      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12708.json",
-      "dateUpdated": "2025-01-30T06:00:10.821Z"
-    },
-    {
-      "cveId": "CVE-2024-12709",
-      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12709",
-      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12709.json",
-      "dateUpdated": "2025-01-30T06:00:11.424Z"
+      "cveId": "CVE-2024-13642",
+      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-13642",
+      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/13xxx/CVE-2024-13642.json",
+      "dateUpdated": "2025-01-30T06:41:08.797Z"
     }
   ],
   "updated": [],

diff --git a/cves/deltaLog.json b/cves/deltaLog.json
@@ -1,4 +1,24 @@
 [
+  {
+    "fetchTime": "2025-01-30T06:47:54.588Z",
+    "numberOfChanges": 2,
+    "new": [
+      {
+        "cveId": "CVE-2024-13457",
+        "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-13457",
+        "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/13xxx/CVE-2024-13457.json",
+        "dateUpdated": "2025-01-30T06:41:07.956Z"
+      },
+      {
+        "cveId": "CVE-2024-13642",
+        "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-13642",
+        "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/13xxx/CVE-2024-13642.json",
+        "dateUpdated": "2025-01-30T06:41:08.797Z"
+      }
+    ],
+    "updated": [],
+    "error": []
+  },
   {
     "fetchTime": "2025-01-30T06:07:48.590Z",
     "numberOfChanges": 6,
@@ -138409,19 +138429,5 @@
       }
     ],
     "error": []
-  },
-  {
-    "fetchTime": "2024-12-31T06:08:20.860Z",
-    "numberOfChanges": 1,
-    "new": [
-      {
-        "cveId": "CVE-2024-11972",
-        "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-11972",
-        "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/11xxx/CVE-2024-11972.json",
-        "dateUpdated": "2024-12-31T06:00:01.751Z"
-      }
-    ],
-    "updated": [],
-    "error": []
   }
 ]