updates 2024-12-06

Signed-off-by: Weston Steimel <[email protected]>

data/anchore/2022/CVE-2022-41137.json

@@ -0,0 +1,40 @@
+{
+  "additionalMetadata": {
+    "cna": "apache",
+    "cveId": "CVE-2022-41137",
+    "description": "Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data.\n\nIn real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://github.com/apache/hive",
+      "https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9",
+      "https://issues.apache.org/jira/browse/HIVE-26539",
+      "https://lists.apache.org/thread/jwtr3d9yovf2wo0qlxvkhoxnwxxyzgts"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://repo.maven.apache.org/maven2",
+        "cpes": [
+          "cpe:2.3:a:org.apache.hive:hive-exec:*:*:*:*:*:maven:*:*"
+        ],
+        "packageName": "org.apache.hive:hive-exec",
+        "packageType": "maven",
+        "product": "Apache Hive",
+        "vendor": "Apache Software Foundation",
+        "versions": [
+          {
+            "lessThan": "4.0.0",
+            "status": "affected",
+            "version": "4.0.0-alpha-1",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-0680.json

@@ -22,7 +22,7 @@
         "vendor": "nimeshrmr",
         "versions": [
           {
-            "lessThanOrEqual": "3.6",
+            "lessThan": "3.6.1",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-10056.json

@@ -0,0 +1,40 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10056",
+    "description": "The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's livesite-pay shortcode in all versions up to, and including, 4.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset/3200766/",
+      "https://wordpress.org/plugins/contact-form-with-a-meeting-scheduler-by-vcita/#developers",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d1b419c-2276-415d-8c54-15da9125c442?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:vcita:contact_form_builder_by_vcita:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "contact-form-with-a-meeting-scheduler-by-vcita",
+        "packageType": "wordpress-plugin",
+        "product": "Contact Form Builder by vcita",
+        "repo": "https://plugins.svn.wordpress.org/contact-form-with-a-meeting-scheduler-by-vcita",
+        "vendor": "eyale-vc",
+        "versions": [
+          {
+            "lessThan": "4.10.5",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10178.json

@@ -0,0 +1,40 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10178",
+    "description": "The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3199233%40gutentor%2Ftrunk&old=3179242%40gutentor%2Ftrunk&sfp_email=&sfph_mail=",
+      "https://wordpress.org/plugins/gutentor/#developers",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/17ecebfd-b07f-415f-892f-e069ab84031a?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:gutentor:gutentor:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "gutentor",
+        "packageType": "wordpress-plugin",
+        "product": "Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor",
+        "repo": "https://plugins.svn.wordpress.org/gutentor",
+        "vendor": "gutentor",
+        "versions": [
+          {
+            "lessThan": "3.4.0",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10777.json

@@ -0,0 +1,39 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10777",
+    "description": "The AnyWhere Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.11 via the 'INSERT_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3198665%40anywhere-elementor&new=3198665%40anywhere-elementor&sfp_email=&sfph_mail=",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2138634-c149-4fd1-a33d-351bbf633ea3?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:wpvibes:anywhere_elementor:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "anywhere-elementor",
+        "packageType": "wordpress-plugin",
+        "product": "AnyWhere Elementor",
+        "repo": "https://plugins.svn.wordpress.org/anywhere-elementor",
+        "vendor": "wpvibes",
+        "versions": [
+          {
+            "lessThan": "1.2.12",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10874.json

@@ -23,7 +23,7 @@
         "vendor": "oooorgle",
         "versions": [
           {
-            "lessThanOrEqual": "3.0.0",
+            "lessThan": "3.0.1",
             "status": "affected",
             "version": "0",
             "versionType": "semver"

data/anchore/2024/CVE-2024-10937.json

@@ -0,0 +1,39 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10937",
+    "description": "The Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.58 via the wp_ajax_nopriv_related_post_ajax_get_post_ids AJAX action. This makes it possible for unauthenticated attackers to extract sensitive data including titles of posts in draft status.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3199720%40related-post%2Ftrunk&old=3126666%40related-post%2Ftrunk&sfp_email=&sfph_mail=",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/85f7c69d-0b48-47af-9451-3cfd4326ffe5?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:pickplugins:related_post:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "related-post",
+        "packageType": "wordpress-plugin",
+        "product": "Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins",
+        "repo": "https://plugins.svn.wordpress.org/related-post",
+        "vendor": "pickplugins",
+        "versions": [
+          {
+            "lessThan": "2.0.59",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-11420.json

@@ -0,0 +1,39 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-11420",
+    "description": "The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Info Block link parameter in all versions up to, and including, 2.0.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://themes.trac.wordpress.org/changeset/249744/blocksy/2.0.78/inc/components/contacts-box.php",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/02ad47d5-f011-4e0a-af29-088852d1e886?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/themes",
+        "cpes": [
+          "cpe:2.3:a:creativethemes:blocksy:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "blocksy",
+        "packageType": "wordpress-theme",
+        "product": "Blocksy",
+        "repo": "https://themes.svn.wordpress.org/blocksy",
+        "vendor": "creativethemeshq",
+        "versions": [
+          {
+            "lessThan": "2.0.78",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-52436.json

@@ -23,7 +23,7 @@
         "vendor": "Post SMTP",
         "versions": [
           {
-            "lessThanOrEqual": "2.9.9",
+            "lessThan": "2.9.10",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-53751.json

@@ -33,6 +33,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a68e014-69df-4498-9cc2-618d966e5ed6?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-53784.json

@@ -33,6 +33,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6125a734-c185-4a97-a4fe-a739aa20de13?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-53786.json

@@ -34,6 +34,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a29ebdcb-3b03-4504-b553-6f7633c68f3f?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-53787.json

@@ -33,6 +33,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/32369351-ddae-452f-b286-6478deab5a97?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-53792.json

@@ -22,7 +22,7 @@
         "vendor": "Kiboko Labs",
         "versions": [
           {
-            "lessThanOrEqual": "3.4.2",
+            "lessThan": "3.4.1.3",
             "status": "affected",
             "version": "0",
             "versionType": "custom"
@@ -33,6 +33,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3aa8d64-a0d1-49ad-ad92-e2a2bf066fe1?source=cve"
+      }
+    ]
   }
 }