updates 2024-10-21

Signed-off-by: Weston Steimel <[email protected]>
anchore · Oct 21, 2024 · 0f9e4fc · 0f9e4fc
1 parent 466442b
commit 0f9e4fc
Show file tree

Hide file tree

Showing 55 changed files with 1,131 additions and 33 deletions.
diff --git a/data/anchore/2019/CVE-2019-25218.json b/data/anchore/2019/CVE-2019-25218.json
@@ -0,0 +1,40 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2019-25218",
+    "description": "The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/wp-responsive-photo-gallery/tags/1.0.3/wp-responsive-photo-gallery.php#L1393",
+      "https://plugins.trac.wordpress.org/browser/wp-responsive-photo-gallery/tags/1.0.4/wp-responsive-photo-gallery.php#L1614",
+      "https://wordpress.org/plugins/wp-responsive-photo-gallery/",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/05ff1b1e-f7ba-485d-9421-9bb38f6831ef?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:i13websolution:web_solution_photo_gallery_slideshow_\\&_masonry_tiled_gallery:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "wp-responsive-photo-gallery",
+        "packageType": "wordpress-plugin",
+        "product": "Photo Gallery Slideshow & Masonry Tiled Gallery",
+        "vendor": "nik00726",
+        "versions": [
+          {
+            "lessThan": "1.0.4",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2022/CVE-2022-3556.json b/data/anchore/2022/CVE-2022-3556.json
@@ -22,7 +22,7 @@
         "vendor": "kanev",
         "versions": [
           {
-            "lessThanOrEqual": "1.1.6",
+            "lessThan": "1.1.7",
             "status": "affected",
             "version": "0",
             "versionType": "semver"

diff --git a/data/anchore/2023/CVE-2023-6243.json b/data/anchore/2023/CVE-2023-6243.json
@@ -0,0 +1,41 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2023-6243",
+    "description": "The EventON PRO - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.8. This is due to missing or incorrect nonce validation on the admin_test_email function. This makes it possible for unauthenticated attackers to send test emails to arbitrary email addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://docs.myeventon.com/documentations/eventon-changelog/",
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3017939%40eventon-lite&new=3017939%40eventon-lite&sfp_email=&sfph_mail=",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d0a40f8-4c31-447d-ac28-73cfe7a07687?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:myeventon:eventon-lite:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:myeventon:eventon:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "eventon",
+        "packageType": "wordpress-plugin",
+        "product": "EventON Pro",
+        "repo": "https://plugins.svn.wordpress.org/eventon",
+        "vendor": "EventON",
+        "versions": [
+          {
+            "lessThan": "4.7",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-10049.json b/data/anchore/2024/CVE-2024-10049.json
@@ -0,0 +1,38 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10049",
+    "description": "The Edit WooCommerce Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/woo-edit-templates/trunk/includes/list-table-theme-templates.php#L87",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/3704b365-cbdf-4c74-9619-59f0a10e3c6a?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:ioannup:edit_woocommerce_templates:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "woo-edit-templates",
+        "packageType": "wordpress-plugin",
+        "product": "Edit WooCommerce Templates",
+        "vendor": "ioannup",
+        "versions": [
+          {
+            "lessThanOrEqual": "1.1.2",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-10057.json b/data/anchore/2024/CVE-2024-10057.json
@@ -0,0 +1,39 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10057",
+    "description": "The RSS Feed Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rfw-youtube-videos shortcode in all versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset/3170773/",
+      "https://wordpress.org/plugins/rss-feed-widget/#developers",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/b77ea258-dced-4c36-bd0d-8977a347d1c9?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:rss_feed_widget_project:rss_feed_widget:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "rss-feed-widget",
+        "packageType": "wordpress-plugin",
+        "product": "RSS Feed Widget",
+        "vendor": "fahadmahmood",
+        "versions": [
+          {
+            "lessThan": "3.0.0",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-37404.json b/data/anchore/2024/CVE-2024-37404.json
@@ -0,0 +1,55 @@
+{
+  "additionalMetadata": {
+    "cna": "hackerone",
+    "cveId": "CVE-2024-37404",
+    "description": "Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Policy-Secure-CVE-2024-37404"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*"
+        ],
+        "product": "Connect Secure",
+        "vendor": "Ivanti",
+        "versions": [
+          {
+            "lessThan": "22.7r2.1",
+            "status": "affected",
+            "version": "10",
+            "versionType": "custom"
+          },
+          {
+            "lessThan": "9.1r18.9",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      },
+      {
+        "cpes": [
+          "cpe:2.3:a:ivanti:policy_secure:*:*:*:*:*:*:*:*"
+        ],
+        "product": "Policy Secure",
+        "vendor": "Ivanti",
+        "versions": [
+          {
+            "lessThan": "22.7r1.1",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-44000.json b/data/anchore/2024/CVE-2024-44000.json
@@ -0,0 +1,47 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-44000",
+    "description": "Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a before 6.5.0.1.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin?_s_id=cve",
+      "https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-0-1-unauthenticated-account-takeover-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 6.5.0.1 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:litespeedtech:litespeed_cache:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "litespeed-cache",
+        "packageType": "wordpress-plugin",
+        "product": "LiteSpeed Cache",
+        "repo": "https://plugins.svn.wordpress.org/litespeed-cache",
+        "vendor": "LiteSpeed Technologies",
+        "versions": [
+          {
+            "lessThan": "6.5.0.1",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31173691-28fb-46fd-a7da-28bf9c46e2bc?source=cve"
+      }
+    ]
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-44013.json b/data/anchore/2024/CVE-2024-44013.json
@@ -22,7 +22,7 @@
         "vendor": "Innate Images LLC",
         "versions": [
           {
-            "lessThanOrEqual": "2.4.0",
+            "lessThan": "2.4.5",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

diff --git a/data/anchore/2024/CVE-2024-46897.json b/data/anchore/2024/CVE-2024-46897.json
@@ -0,0 +1,42 @@
+{
+  "additionalMetadata": {
+    "cna": "jpcert",
+    "cveId": "CVE-2024-46897",
+    "description": "Incorrect permission assignment for critical resource issue exists in Exment v6.1.4 and earlier and Exment v5.0.11 and earlier. A logged-in user with the permission of table management may obtain and/or alter the information of the unauthorized table.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://exment.net/docs/#/weakness/20241010_2",
+      "https://exment.net/vulnerability-correspondence-version-6-1-5-and-5-0-12-released/",
+      "https://jvn.jp/en/jp/JVN74538317/"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:exceedone:exment:*:*:*:*:*:*:*:*"
+        ],
+        "product": "Exment",
+        "vendor": "Kajitori Co.,Ltd",
+        "versions": [
+          {
+            "lessThan": "6.1.5",
+            "status": "affected",
+            "version": "6",
+            "versionType": "custom"
+          },
+          {
+            "lessThan": "5.0.12",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2024/CVE-2024-47325.json b/data/anchore/2024/CVE-2024-47325.json
@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-47325",
+    "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows SQL Injection.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.7.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/multiple-pages-generator-by-porthas/wordpress-multiple-page-generator-plugin-mpg-plugin-3-4-7-sql-injection-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 3.4.8 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:themeisle:multiple_page_generator:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "multiple-pages-generator-by-porthas",
+        "packageType": "wordpress-plugin",
+        "product": "Multiple Page Generator Plugin – MPG",
+        "repo": "https://plugins.svn.wordpress.org/multiple-pages-generator-by-porthas",
+        "vendor": "Themeisle",
+        "versions": [
+          {
+            "lessThan": "3.4.8",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f77e2d1e-7925-4343-9c22-5b77ea0d439b?source=cve"
+      }
+    ]
+  }
+}