-
Notifications
You must be signed in to change notification settings - Fork 343
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a3dda9a
commit 94895d9
Showing
25 changed files
with
986 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
advisories/unreviewed/2024/11/GHSA-3m72-96fp-2vmr/GHSA-3m72-96fp-2vmr.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-3m72-96fp-2vmr", | ||
| "modified": "2024-11-09T09:30:29Z", | ||
| "published": "2024-11-09T09:30:29Z", | ||
| "aliases": [ | ||
| "CVE-2024-9874" | ||
| ], | ||
| "details": "The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9874" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://packetstormsecurity.com/files/179500/WordPress-Poll-Maker-5.3.2-SQL-Injection.html" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.6/includes/lists/class-poll-maker-results-list-table.php#L58" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.7/includes/lists/class-poll-maker-each-results-poll-list-table.php#L48" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a7e8284-d70f-4448-8f0d-99c23b8eda79?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-89" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T07:15:07Z" | ||
| } | ||
| } |
42 changes: 42 additions & 0 deletions
42
advisories/unreviewed/2024/11/GHSA-6j6p-pvv3-rrg5/GHSA-6j6p-pvv3-rrg5.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-6j6p-pvv3-rrg5", | ||
| "modified": "2024-11-09T09:30:29Z", | ||
| "published": "2024-11-09T09:30:29Z", | ||
| "aliases": [ | ||
| "CVE-2024-10589" | ||
| ], | ||
| "details": "The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the import_settings() function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10589" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://codecanyon.net/item/leopard-wordpress-offload-media/23728788" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0b50597-18c1-4cbc-aebb-348f4d786ad9?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-862" | ||
| ], | ||
| "severity": "CRITICAL", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T08:15:03Z" | ||
| } | ||
| } |
38 changes: 38 additions & 0 deletions
38
advisories/unreviewed/2024/11/GHSA-6wh9-5xqw-j4hc/GHSA-6wh9-5xqw-j4hc.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-6wh9-5xqw-j4hc", | ||
| "modified": "2024-11-09T09:30:30Z", | ||
| "published": "2024-11-09T09:30:30Z", | ||
| "aliases": [ | ||
| "CVE-2024-51786" | ||
| ], | ||
| "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BestWebSoft Realty by BestWebSoft allows Stored XSS.This issue affects Realty by BestWebSoft: from n/a through 1.1.5.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51786" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://patchstack.com/database/vulnerability/realty/wordpress-realty-by-bestwebsoft-plugin-1-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T09:15:06Z" | ||
| } | ||
| } |
38 changes: 38 additions & 0 deletions
38
advisories/unreviewed/2024/11/GHSA-7924-wvgm-wqr4/GHSA-7924-wvgm-wqr4.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-7924-wvgm-wqr4", | ||
| "modified": "2024-11-09T09:30:29Z", | ||
| "published": "2024-11-09T09:30:29Z", | ||
| "aliases": [ | ||
| "CVE-2024-51570" | ||
| ], | ||
| "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Odihost Easy Gallery allows SQL Injection.This issue affects Easy Gallery: from n/a through 1.4.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51570" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://patchstack.com/database/vulnerability/simple-gallery-odihost/wordpress-easy-gallery-plugin-1-4-sql-injection-vulnerability?_s_id=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-89" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T09:15:03Z" | ||
| } | ||
| } |
38 changes: 38 additions & 0 deletions
38
advisories/unreviewed/2024/11/GHSA-7rxc-rc94-v9xm/GHSA-7rxc-rc94-v9xm.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-7rxc-rc94-v9xm", | ||
| "modified": "2024-11-09T09:30:30Z", | ||
| "published": "2024-11-09T09:30:30Z", | ||
| "aliases": [ | ||
| "CVE-2024-51787" | ||
| ], | ||
| "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in QuomodoSoft ElementsReady Addons for Elementor allows Stored XSS.This issue affects ElementsReady Addons for Elementor: from n/a through 6.4.3.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51787" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://patchstack.com/database/vulnerability/element-ready-lite/wordpress-elementsready-addons-for-elementor-plugin-6-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T09:15:07Z" | ||
| } | ||
| } |
38 changes: 38 additions & 0 deletions
38
advisories/unreviewed/2024/11/GHSA-97p9-r285-2g4p/GHSA-97p9-r285-2g4p.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-97p9-r285-2g4p", | ||
| "modified": "2024-11-09T09:30:29Z", | ||
| "published": "2024-11-09T09:30:29Z", | ||
| "aliases": [ | ||
| "CVE-2024-51601" | ||
| ], | ||
| "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Maksym Marko Website price calculator allows SQL Injection.This issue affects Website price calculator: from n/a through 4.1.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51601" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://patchstack.com/database/vulnerability/price-calculator-to-your-website/wordpress-website-price-calculator-plugin-4-1-sql-injection-vulnerability?_s_id=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-89" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T09:15:04Z" | ||
| } | ||
| } |
38 changes: 38 additions & 0 deletions
38
advisories/unreviewed/2024/11/GHSA-f5vx-x5v9-rj8r/GHSA-f5vx-x5v9-rj8r.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-f5vx-x5v9-rj8r", | ||
| "modified": "2024-11-09T09:30:30Z", | ||
| "published": "2024-11-09T09:30:29Z", | ||
| "aliases": [ | ||
| "CVE-2024-51602" | ||
| ], | ||
| "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oleksandr Ustymenko Simple Job Manager allows SQL Injection.This issue affects Simple Job Manager: from n/a through 1.1.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51602" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://patchstack.com/database/vulnerability/simple-job-manager/wordpress-simple-job-manager-plugin-1-1-sql-injection-vulnerability?_s_id=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-89" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T09:15:04Z" | ||
| } | ||
| } |
46 changes: 46 additions & 0 deletions
46
advisories/unreviewed/2024/11/GHSA-gmm4-g83x-r552/GHSA-gmm4-g83x-r552.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-gmm4-g83x-r552", | ||
| "modified": "2024-11-09T09:30:29Z", | ||
| "published": "2024-11-09T09:30:29Z", | ||
| "aliases": [ | ||
| "CVE-2024-10876" | ||
| ], | ||
| "details": "The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.8.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" | ||
| } | ||
| ], | ||
| "affected": [ | ||
|
|
||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10876" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.2/includes/admin/donations/class-charitable-donation-list-table.php#L318" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/changeset/3183944/charitable/trunk/includes/admin/donations/class-charitable-donation-list-table.php" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68014bb5-b2ef-4e2f-9c47-85e555ded5a7?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2024-11-09T07:15:06Z" | ||
| } | ||
| } |
Oops, something went wrong.