Skip to content

Commit

Permalink
3 changes (3 new | 0 updated):
Browse files Browse the repository at this point in the history 
      - 3 new CVEs:  CVE-2024-10175, CVE-2024-10580, CVE-2024-10895
      - 0 updated CVEs:
  • Loading branch information
cvelistV5 Github Action committed Nov 27, 2024
1 parent 7397fbb commit f5e780c
Show file tree
Hide file tree
Showing 5 changed files with 311 additions and 6 deletions.
88 changes: 88 additions & 0 deletions cves/2024/10xxx/CVE-2024-10175.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2024-10175",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"state": "PUBLISHED",
"assignerShortName": "Wordfence",
"dateReserved": "2024-10-18T20:33:11.925Z",
"datePublished": "2024-11-27T06:41:28.887Z",
"dateUpdated": "2024-11-27T06:41:28.887Z"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2024-11-27T06:41:28.887Z"
},
"affected": [
{
"vendor": "labibahmed42",
"product": "Pricing Tables For WPBakery Page Builder (formerly Visual Composer)",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "1.4",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wdo_pricing_tables shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"title": "Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wdo_pricing_tables Shortcode",
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79091bc0-d9b6-4a4b-926d-0447193d27c5?source=cve"
},
{
"url": "https://wordpress.org/plugins/pricing-tables-for-visual-composer/#developers"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"baseScore": 6.4,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"timeline": [
{
"time": "2024-11-26T18:28:52.000+00:00",
"lang": "en",
"value": "Disclosed"
}
]
}
}
}
91 changes: 91 additions & 0 deletions cves/2024/10xxx/CVE-2024-10580.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2024-10580",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"state": "PUBLISHED",
"assignerShortName": "Wordfence",
"dateReserved": "2024-10-31T12:57:12.812Z",
"datePublished": "2024-11-27T06:41:28.378Z",
"dateUpdated": "2024-11-27T06:41:28.378Z"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2024-11-27T06:41:28.378Z"
},
"affected": [
{
"vendor": "wpmudev",
"product": "Hustle – Email Marketing, Lead Generation, Optins, Popups",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "7.8.5",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms."
}
],
"title": "Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unauthorized Form Submission",
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3b2f8726-c4c4-4ed6-aa8d-4412cf5be061?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.5/inc/front/hustle-module-front-ajax.php#L251"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3196639/wordpress-popup/tags/7.8.6/inc/front/hustle-module-front-ajax.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-862 Missing Authorization",
"cweId": "CWE-862",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vijaysimha Reddy"
}
],
"timeline": [
{
"time": "2024-11-26T00:00:00.000+00:00",
"lang": "en",
"value": "Disclosed"
}
]
}
}
}
88 changes: 88 additions & 0 deletions cves/2024/10xxx/CVE-2024-10895.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2024-10895",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"state": "PUBLISHED",
"assignerShortName": "Wordfence",
"dateReserved": "2024-11-05T18:48:41.770Z",
"datePublished": "2024-11-27T06:41:27.696Z",
"dateUpdated": "2024-11-27T06:41:27.696Z"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2024-11-27T06:41:27.696Z"
},
"affected": [
{
"vendor": "logichunt",
"product": "Counter Up – Animated Number Counter & Milestone Showcase",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "2.4.0",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Counter Up – Animated Number Counter & Milestone Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lgx-counter' shortcode in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"title": "Counter Up – Animated Number Counter & Milestone Showcase <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting",
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36e070de-bd77-48a4-a9c2-3938b144398a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-counter-up/trunk/public/class-wp-counter-up-public.php#L318"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"baseScore": 6.4,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"timeline": [
{
"time": "2024-11-26T18:29:11.000+00:00",
"lang": "en",
"value": "Disclosed"
}
]
}
}
}
24 changes: 18 additions & 6 deletions cves/delta.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,24 @@
{
"fetchTime": "2024-11-27T06:30:48.494Z",
"numberOfChanges": 1,
"fetchTime": "2024-11-27T06:44:08.420Z",
"numberOfChanges": 3,
"new": [
{
"cveId": "CVE-2024-36467",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-36467",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/36xxx/CVE-2024-36467.json",
"dateUpdated": "2024-11-27T06:16:30.381Z"
"cveId": "CVE-2024-10175",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10175",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10175.json",
"dateUpdated": "2024-11-27T06:41:28.887Z"
},
{
"cveId": "CVE-2024-10580",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10580",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10580.json",
"dateUpdated": "2024-11-27T06:41:28.378Z"
},
{
"cveId": "CVE-2024-10895",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10895",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10895.json",
"dateUpdated": "2024-11-27T06:41:27.696Z"
}
],
"updated": [],
Expand Down
26 changes: 26 additions & 0 deletions cves/deltaLog.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,30 @@
[
{
"fetchTime": "2024-11-27T06:44:08.420Z",
"numberOfChanges": 3,
"new": [
{
"cveId": "CVE-2024-10175",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10175",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10175.json",
"dateUpdated": "2024-11-27T06:41:28.887Z"
},
{
"cveId": "CVE-2024-10580",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10580",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10580.json",
"dateUpdated": "2024-11-27T06:41:28.378Z"
},
{
"cveId": "CVE-2024-10895",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10895",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10895.json",
"dateUpdated": "2024-11-27T06:41:27.696Z"
}
],
"updated": [],
"error": []
},
{
"fetchTime": "2024-11-27T06:30:48.494Z",
"numberOfChanges": 1,
Expand Down

0 comments on commit f5e780c

Please sign in to comment.