updates 2024-09-19

Signed-off-by: Weston Steimel <[email protected]>

data/anchore/2024/CVE-2024-42404.json

@@ -0,0 +1,40 @@
+{
+  "additionalMetadata": {
+    "cna": "jpcert",
+    "cveId": "CVE-2024-42404",
+    "description": "SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://jvn.jp/en/jp/JVN19766555/",
+      "https://www.welcart.com/archives/22581.html"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:collne:welcart:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "usc-e-shop",
+        "packageType": "wordpress-plugin",
+        "product": "Welcart e-Commerce",
+        "repo": "https://plugins.svn.wordpress.org/usc-e-shop",
+        "vendor": "Welcart Inc.",
+        "versions": [
+          {
+            "lessThan": "2.11.2",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-43126.json

@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2024-43126",
+    "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sender Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce allows Reflected XSS.This issue affects Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce: from n/a through 2.6.14.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/sender-net-automated-emails/wordpress-sender-newsletter-sms-and-email-marketing-automation-for-woocommerce-plugin-2-6-14-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 2.6.16 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:sender:sender:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "sender-net-automated-emails",
+        "packageType": "wordpress-plugin",
+        "product": "Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce",
+        "repo": "https://plugins.svn.wordpress.org/sender-net-automated-emails",
+        "vendor": "Sender",
+        "versions": [
+          {
+            "lessThan": "2.6.16",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/868905af-ee6e-41a8-8040-84eee696b747?source=cve"
+      }
+    ]
+  }
+}

data/anchore/2024/CVE-2024-43975.json

@@ -15,7 +15,7 @@
     "affected": [
       {
         "cpes": [
-          "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:*:*:*"
+          "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:wordpress:*:*"
         ],
         "packageName": "superstorefinder-wp",
         "packageType": "wordpress-plugin",

data/anchore/2024/CVE-2024-43976.json

@@ -15,7 +15,7 @@
     "affected": [
       {
         "cpes": [
-          "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:*:*:*"
+          "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:wordpress:*:*"
         ],
         "packageName": "superstorefinder-wp",
         "packageType": "wordpress-plugin",

data/anchore/2024/CVE-2024-43978.json

@@ -15,7 +15,7 @@
     "affected": [
       {
         "cpes": [
-          "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:*:*:*"
+          "cpe:2.3:a:superstorefinder:super_store_finder:*:*:*:*:*:wordpress:*:*"
         ],
         "packageName": "superstorefinder-wp",
         "packageType": "wordpress-plugin",

data/anchore/2024/CVE-2024-45298.json

@@ -0,0 +1,38 @@
+{
+  "additionalMetadata": {
+    "cna": "github_m",
+    "cveId": "CVE-2024-45298",
+    "description": "Wiki.js is an open source wiki app built on Node.js. A disabled user can still gain access to a wiki by abusing the password reset function. While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only did it let me reset my password, but after resetting my password I can get into the wiki I was locked out of. The ramifications of this bug is a user can **bypass an account disabling by requesting their password be reset**.  All users of wiki.js version `2.5.303` who use any account restrictions and have disabled user are affected. This issue has been addressed in version 2.5.304 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://github.com/requarks/wiki/commit/b9fb17d4d4a0956ec35e8c73cc85192552fb8d16",
+      "https://github.com/requarks/wiki/security/advisories/GHSA-vwww-c5vg-xgfc"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://github.com",
+        "cpes": [
+          "cpe:2.3:a:requarks:wiki.js:*:*:*:*:*:*:*:*"
+        ],
+        "packageName": "requarks/wiki",
+        "product": "wiki",
+        "repo": "https://github.com/requarks/wiki",
+        "vendor": "requarks",
+        "versions": [
+          {
+            "lessThan": "2.5.304",
+            "status": "affected",
+            "version": "2.5.303",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-45366.json

@@ -0,0 +1,40 @@
+{
+  "additionalMetadata": {
+    "cna": "jpcert",
+    "cveId": "CVE-2024-45366",
+    "description": "Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://jvn.jp/en/jp/JVN19766555/",
+      "https://www.welcart.com/archives/22581.html"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:collne:welcart:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "usc-e-shop",
+        "packageType": "wordpress-plugin",
+        "product": "Welcart e-Commerce",
+        "repo": "https://plugins.svn.wordpress.org/usc-e-shop",
+        "vendor": "Welcart Inc.",
+        "versions": [
+          {
+            "lessThan": "2.11.2",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-45455.json

@@ -36,6 +36,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dc3c8e7-464e-4742-bc96-5a1dc8b27ae3?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-45456.json

@@ -36,6 +36,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6cbe4e-ee14-4361-9db3-d6e820ee7171?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-45457.json

@@ -36,6 +36,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5873ad24-a105-4ad0-b809-5bf13e61b0fa?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-45458.json

@@ -36,6 +36,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/200b579a-0287-4e2a-afb2-3b77b94dad25?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-45459.json

@@ -36,6 +36,11 @@
     "providerMetadata": {
       "orgId": "00000000-0000-4000-8000-000000000000",
       "shortName": "anchoreadp"
-    }
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8de3580c-7740-41a1-a9e3-4b0abcac2a05?source=cve"
+      }
+    ]
   }
 }

data/anchore/2024/CVE-2024-45679.json

@@ -0,0 +1,35 @@
+{
+  "additionalMetadata": {
+    "cna": "jpcert",
+    "cveId": "CVE-2024-45679",
+    "description": "Heap-based buffer overflow vulnerability in Assimp versions prior to 5.4.3 allows a local attacker to execute arbitrary code by importing a specially crafted file into the product.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://github.com/assimp/assimp/releases/tag/v5.4.3",
+      "https://jvn.jp/en/jp/JVN42386607/"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"
+        ],
+        "product": "Assimp",
+        "vendor": "Open Asset Import Library",
+        "versions": [
+          {
+            "lessThan": "5.4.3",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-45813.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "github_m",
+    "cveId": "CVE-2024-45813",
+    "description": "find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://blakeembrey.com/posts/2024-09-web-redos",
+      "https://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440",
+      "https://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://registry.npmjs.org",
+        "cpes": [
+          "cpe:2.3:a:find-my-way_project:find-my-way:*:*:*:*:*:node.js:*:*"
+        ],
+        "packageName": "find-my-way",
+        "packageType": "npm",
+        "product": "find-my-way",
+        "repo": "https://github.com/delvedor/find-my-way",
+        "vendor": "delvedor",
+        "versions": [
+          {
+            "lessThan": "8.2.2",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          },
+          {
+            "status": "affected",
+            "version": "9.0.0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-45815.json

@@ -13,8 +13,8 @@
       {
         "collectionURL": "https://registry.npmjs.org",
         "cpes": [
-          "cpe:2.3:a:linuxfoundation:backstage_plugin-catalog-backend:*:*:*:*:*:node.js:*:*",
-          "cpe:2.3:a:linuxfoundation:b\\@backstage\\/plugin-catalog-backend:*:*:*:*:*:node.js:*:*"
+          "cpe:2.3:a:linuxfoundation:\\@backstage\\/plugin-catalog-backend:*:*:*:*:*:node.js:*:*",
+          "cpe:2.3:a:linuxfoundation:backstage_plugin-catalog-backend:*:*:*:*:*:node.js:*:*"
         ],
         "packageName": "@backstage/plugin-catalog-backend",
         "packageType": "npm",