Skip to content

Commit

Permalink
updates 2024-12-03
Browse files Browse the repository at this point in the history
Signed-off-by: Weston Steimel <[email protected]>
  • Loading branch information
westonsteimel committed Dec 3, 2024
1 parent 7e3119a commit 8efdd34
Show file tree
Hide file tree
Showing 25 changed files with 950 additions and 15 deletions.
32 changes: 26 additions & 6 deletions data/anchore/2024/CVE-2024-11403.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,9 @@
"cna": "google",
"cveId": "CVE-2024-11403",
"description": "There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression (i.e. if using JxlEncoderAddJPEGFrame on untrusted input) does not properly check bounds in the presence of incomplete codes. This could lead to an out-of-bounds write. In jpegli which is released as part of the same project, the same vulnerability is present. However, the relevant buffer is part of a bigger structure, and the code makes no assumptions on the values that could be overwritten. The issue could however cause jpegli to read uninitialised memory, or addresses of functions.",
"needsReview": true,
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99"
],
"toDos": [
"Monitor for release"
]
},
"adp": {
Expand All @@ -28,10 +24,34 @@
"vendor": "libjxl",
"versions": [
{
"lessThan": "9cc451b91b74ba470fd72bd48c121e9f33d24c99",
"lessThan": "0.7.2",
"status": "affected",
"version": "0",
"versionType": "git"
"versionType": "semver"
},
{
"lessThan": "0.8.4",
"status": "affected",
"version": "0.8",
"versionType": "semver"
},
{
"lessThan": "0.9.4",
"status": "affected",
"version": "0.9",
"versionType": "semver"
},
{
"lessThan": "0.10.4",
"status": "affected",
"version": "0.10",
"versionType": "semver"
},
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.11",
"versionType": "semver"
}
]
}
Expand Down
32 changes: 26 additions & 6 deletions data/anchore/2024/CVE-2024-11498.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,9 @@
"cna": "google",
"cveId": "CVE-2024-11498",
"description": "There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhausting the stack. An attacker can craft a file that will cause excessive memory usage. We recommend upgrading past commit 65fbec56bc578b6b6ee02a527be70787bbd053b0.",
"needsReview": true,
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://github.com/libjxl/libjxl/pull/3943"
],
"toDos": [
"Monitor for release"
]
},
"adp": {
Expand All @@ -28,10 +24,34 @@
"vendor": "libjxl",
"versions": [
{
"lessThan": "65fbec56bc578b6b6ee02a527be70787bbd053b0",
"lessThan": "0.7.2",
"status": "affected",
"version": "0",
"versionType": "git"
"versionType": "semver"
},
{
"lessThan": "0.8.4",
"status": "affected",
"version": "0.8",
"versionType": "semver"
},
{
"lessThan": "0.9.4",
"status": "affected",
"version": "0.9",
"versionType": "semver"
},
{
"lessThan": "0.10.4",
"status": "affected",
"version": "0.10",
"versionType": "semver"
},
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.11",
"versionType": "semver"
}
]
}
Expand Down
43 changes: 43 additions & 0 deletions data/anchore/2024/CVE-2024-12015.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"additionalMetadata": {
"cna": "tenable",
"cveId": "CVE-2024-12015",
"description": "The 'Project Manager' WordPress Plugin is affected by an authenticated SQL injection vulnerability in the 'orderby' parameter in the '/pm/v2/activites' route.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://www.tenable.com/security/research/tra-2024-47"
]
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:wedevs:wp_project_manager:*:*:*:*:*:wordpress:*:*"
],
"packageName": "wedevs-project-manager",
"packageType": "wordpress-plugin",
"product": "WP Project Manager",
"repo": "https://plugins.svn.wordpress.org/wedevs-project-manager",
"vendor": "WeDevs",
"versions": [
{
"lessThanOrEqual": "2.6.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
},
"references": [
{
"url": "https://patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-15-sql-injection-vulnerability"
}
]
}
}
37 changes: 37 additions & 0 deletions data/anchore/2024/CVE-2024-50380.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"additionalMetadata": {
"cna": "icscert",
"cveId": "CVE-2024-50380",
"description": "Snap One OVRC cloud uses the MAC address as an identifier to provide information when requested. An attacker can impersonate other devices by supplying enumerated MAC addresses and receive sensitive information about the device.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01"
],
"solutions": [
"Snap One has released the following updates/fixes for the affected products:\n\n * OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud.\n * OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud.\n * Disable UPnP.\n\n\nFor more information, see Snap One’s Release Notes https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf ."
]
},
"adp": {
"affected": [
{
"cpes": [
"cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*"
],
"product": "OVRC cloud",
"vendor": "Snap One",
"versions": [
{
"lessThan": "7.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
37 changes: 37 additions & 0 deletions data/anchore/2024/CVE-2024-50381.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"additionalMetadata": {
"cna": "icscert",
"cveId": "CVE-2024-50381",
"description": "A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaim devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01"
],
"solutions": [
"Snap One has released the following updates/fixes for the affected products:\n\n * OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud.\n * OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud.\n * Disable UPnP.\n\n\nFor more information, see Snap One’s Release Notes https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf ."
]
},
"adp": {
"affected": [
{
"cpes": [
"cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*"
],
"product": "OVRC cloud",
"vendor": "Snap One",
"versions": [
{
"lessThan": "7.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
2 changes: 1 addition & 1 deletion data/anchore/2024/CVE-2024-50525.json
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
"vendor": "Helloprint",
"versions": [
{
"lessThanOrEqual": "2.0.2",
"lessThan": "2.0.5",
"status": "affected",
"version": "0",
"versionType": "custom"
Expand Down
43 changes: 43 additions & 0 deletions data/anchore/2024/CVE-2024-52492.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"additionalMetadata": {
"cna": "patchstack",
"cveId": "CVE-2024-52492",
"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gopi Ramasamy Image horizontal reel scroll slideshow allows Stored XSS.This issue affects Image horizontal reel scroll slideshow: from n/a through 13.4.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://patchstack.com/database/wordpress/plugin/image-horizontal-reel-scroll-slideshow/vulnerability/wordpress-image-horizontal-reel-scroll-slideshow-plugin-13-4-stored-cross-site-scripting-xss-vulnerability?_s_id=cve"
]
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:gopiplus:image_horizontal_reel_scroll_slideshow:*:*:*:*:*:wordpress:*:*"
],
"packageName": "image-horizontal-reel-scroll-slideshow",
"packageType": "wordpress-plugin",
"product": "Image horizontal reel scroll slideshow",
"repo": "https://plugins.svn.wordpress.org/image-horizontal-reel-scroll-slideshow",
"vendor": "Gopi Ramasamy",
"versions": [
{
"lessThanOrEqual": "13.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff21c04-b615-417a-a640-e17c3211f449?source=cve"
}
]
}
}
43 changes: 43 additions & 0 deletions data/anchore/2024/CVE-2024-52493.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"additionalMetadata": {
"cna": "patchstack",
"cveId": "CVE-2024-52493",
"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Leuze Meteor Slides allows Stored XSS.This issue affects Meteor Slides: from n/a through 1.5.7.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://patchstack.com/database/wordpress/plugin/meteor-slides/vulnerability/wordpress-meteor-slides-plugin-1-5-7-cross-site-scripting-xss-vulnerability?_s_id=cve"
]
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:meteor_slides_project:meteor_slides:*:*:*:*:*:wordpress:*:*"
],
"packageName": "meteor-slides",
"packageType": "wordpress-plugin",
"product": "Meteor Slides",
"repo": "https://plugins.svn.wordpress.org/meteor-slides",
"vendor": "Josh Leuze",
"versions": [
{
"lessThanOrEqual": "1.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7922de94-986c-47c1-ab95-284734ef85d1?source=cve"
}
]
}
}
Loading

0 comments on commit 8efdd34

Please sign in to comment.