-
Notifications
You must be signed in to change notification settings - Fork 347
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GHSA-4cq7-66cw-m9cq GHSA-62gf-8cqx-gg6x GHSA-gr6q-vmf7-w8v4 GHSA-h44w-w4w4-cjc2 GHSA-hr35-82jp-j7rc GHSA-j5vj-g2rr-m44q
- Loading branch information
1 parent
13b4347
commit 0914ff1
Showing
6 changed files
with
252 additions
and
0 deletions.
There are no files selected for viewing
48 changes: 48 additions & 0 deletions
48
advisories/unreviewed/2025/01/GHSA-4cq7-66cw-m9cq/GHSA-4cq7-66cw-m9cq.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-4cq7-66cw-m9cq", | ||
| "modified": "2025-01-17T06:30:54Z", | ||
| "published": "2025-01-17T06:30:54Z", | ||
| "aliases": [ | ||
| "CVE-2024-13401" | ||
| ], | ||
| "details": "The Payment Button for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_paypal_checkout' shortcode in all versions up to, and including, 1.2.3.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" | ||
| } | ||
| ], | ||
| "affected": [], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13401" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/main.php#L72" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal-checkout.php#L3" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3223257%40wp-paypal&new=3223257%40wp-paypal&sfp_email=&sfph_mail=" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20fc675c-08a4-4d77-9872-335d23146906?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2025-01-17T05:15:09Z" | ||
| } | ||
| } |
40 changes: 40 additions & 0 deletions
40
advisories/unreviewed/2025/01/GHSA-62gf-8cqx-gg6x/GHSA-62gf-8cqx-gg6x.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-62gf-8cqx-gg6x", | ||
| "modified": "2025-01-17T06:30:54Z", | ||
| "published": "2025-01-17T06:30:54Z", | ||
| "aliases": [ | ||
| "CVE-2024-13398" | ||
| ], | ||
| "details": "The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'checkout_for_paypal' shortcode in all versions up to, and including, 1.0.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" | ||
| } | ||
| ], | ||
| "affected": [], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13398" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3223256%40checkout-for-paypal&new=3223256%40checkout-for-paypal&sfp_email=&sfph_mail=" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2e552b8-84ad-436d-b029-f7dd4534f7d5?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2025-01-17T05:15:08Z" | ||
| } | ||
| } |
40 changes: 40 additions & 0 deletions
40
advisories/unreviewed/2025/01/GHSA-gr6q-vmf7-w8v4/GHSA-gr6q-vmf7-w8v4.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-gr6q-vmf7-w8v4", | ||
| "modified": "2025-01-17T06:30:54Z", | ||
| "published": "2025-01-17T06:30:54Z", | ||
| "aliases": [ | ||
| "CVE-2024-13434" | ||
| ], | ||
| "details": "The WP Inventory Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" | ||
| } | ||
| ], | ||
| "affected": [], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13434" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3223184%40wp-inventory-manager&new=3223184%40wp-inventory-manager&sfp_email=&sfph_mail=" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e3069d4-12b8-4949-9daf-0e01590799da?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2025-01-17T05:15:09Z" | ||
| } | ||
| } |
40 changes: 40 additions & 0 deletions
40
advisories/unreviewed/2025/01/GHSA-h44w-w4w4-cjc2/GHSA-h44w-w4w4-cjc2.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-h44w-w4w4-cjc2", | ||
| "modified": "2025-01-17T06:30:54Z", | ||
| "published": "2025-01-17T06:30:54Z", | ||
| "aliases": [ | ||
| "CVE-2024-11146" | ||
| ], | ||
| "details": "TrueFiling is a collaborative, web-based electronic filing system where attorneys, paralegals, court reporters and self-represented filers collect public legal documentation into cases. TrueFiling is an entirely cloud-hosted application. Prior to version 3.1.112.19, TrueFiling trusted some client-controlled identifiers passed in URL requests to retrieve information. Platform users must self-register for an account, and once authenticated, could manipulate those identifiers to gain partial access to case information and the ability to partially change user access to case information. This vulnerability was addressed in version 3.1.112.19 and all instances were updated by 2024-11-08.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" | ||
| }, | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:L/U:X" | ||
| } | ||
| ], | ||
| "affected": [], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11146" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-25-017-01.json" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-639" | ||
| ], | ||
| "severity": "LOW", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2025-01-17T06:15:15Z" | ||
| } | ||
| } |
40 changes: 40 additions & 0 deletions
40
advisories/unreviewed/2025/01/GHSA-hr35-82jp-j7rc/GHSA-hr35-82jp-j7rc.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-hr35-82jp-j7rc", | ||
| "modified": "2025-01-17T06:30:54Z", | ||
| "published": "2025-01-17T06:30:54Z", | ||
| "aliases": [ | ||
| "CVE-2024-10799" | ||
| ], | ||
| "details": "The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" | ||
| } | ||
| ], | ||
| "affected": [], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10799" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://codecanyon.net/item/eventer-wordpress-event-manager-plugin/20972534" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aea5f970-243f-4642-83e1-34db11c4ca63?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-22" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2025-01-17T06:15:14Z" | ||
| } | ||
| } |
44 changes: 44 additions & 0 deletions
44
advisories/unreviewed/2025/01/GHSA-j5vj-g2rr-m44q/GHSA-j5vj-g2rr-m44q.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-j5vj-g2rr-m44q", | ||
| "modified": "2025-01-17T06:30:54Z", | ||
| "published": "2025-01-17T06:30:54Z", | ||
| "aliases": [ | ||
| "CVE-2024-13333" | ||
| ], | ||
| "details": "The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The function can be exploited only if the \"Display .htaccess?\" setting is enabled.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13333" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/class_fma_connector.php?rev=3200092#L78" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://plugins.trac.wordpress.org/changeset/3222740" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8bcbf8-1848-4f7a-89d8-5894de0bb18b?source=cve" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-434" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2025-01-17T06:15:15Z" | ||
| } | ||
| } |