missed updates

Signed-off-by: Weston Steimel <[email protected]>

data/anchore/2024/CVE-2024-35235.json

@@ -17,7 +17,8 @@
       {
         "collectionURL": "https://github.com",
         "cpes": [
-          "cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*"
+          "cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*",
+          "cpe:2.3:a:cups:cups:*:*:*:*:*:*:*:*"
         ],
         "packageName": "openprinting/cups",
         "product": "cups",

data/anchore/2024/CVE-2024-41722.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-41722",
     "description": "In the goTenna Pro ATAK Plugin there is a vulnerability that makes it \npossible to inject any custom message with any GID and Callsign using a \nsoftware defined radio in existing gotenna mesh networks. This \nvulnerability can be exploited if the device is being used in a \nunencrypted environment or if the cryptography has already been \ncompromised.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-41931.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-41931",
     "description": "The goTenna Pro ATAK Plugin broadcast key name is always sent unencrypted and could reveal the location of operation.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-43108.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-43108",
     "description": "The goTenna Pro ATAK Plugin use AES CTR mode for short, encrypted \nmessages without any additional integrity checking mechanisms. This \nleaves messages malleable to any attacker that can access the message.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-43694.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-43694",
     "description": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-43814.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-43814",
     "description": "goTenna Pro ATAK Plugin by default enables frequent unencrypted \nPosition, Location and Information (PLI) transmission. This transmission\n is done without user's knowledge, revealing the exact location \ntransmitted in unencrypted form.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-44009.json

@@ -3,7 +3,6 @@
     "cna": "patchstack",
     "cveId": "CVE-2024-44009",
     "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WC Lovers WCFM Marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through 3.6.10.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://patchstack.com/database/vulnerability/wc-multivendor-marketplace/wordpress-wcfm-marketplace-3-6-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"

data/anchore/2024/CVE-2024-44062.json

@@ -3,7 +3,6 @@
     "cna": "patchstack",
     "cveId": "CVE-2024-44062",
     "description": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6.5.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://patchstack.com/database/vulnerability/custom-field-template/wordpress-custom-field-template-plugin-2-6-5-cross-site-scripting-xss-vulnerability?_s_id=cve"

data/anchore/2024/CVE-2024-45374.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-45374",
     "description": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-45723.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-45723",
     "description": "The goTenna Pro ATAK Plugin does not use SecureRandom when generating \nits cryptographic keys. The random function in use is not suitable for \ncryptographic use.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-45838.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-45838",
     "description": "The goTenna Pro ATAK Plugin does not encrypt the callsigns of its users.\n These callsigns reveal information about the users and can also be \nleveraged for other vulnerabilities.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.9.12",
+            "lessThan": "2.0.7",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-47121.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-47121",
     "description": "The goTenna Pro series uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.61",
+            "lessThan": "2.0.3",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-47122.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-47122",
     "description": "In the goTenna Pro application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.61",
+            "lessThan": "2.0.3",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-47123.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-47123",
     "description": "The goTenna Pro series use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.61",
+            "lessThan": "2.0.3",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-47124.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-47124",
     "description": "The goTenna pro series does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.61",
+            "lessThan": "2.0.3",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-47126.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-47126",
     "description": "The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.61",
+            "lessThan": "2.0.3",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-47127.json

@@ -3,7 +3,6 @@
     "cna": "icscert",
     "cveId": "CVE-2024-47127",
     "description": "In the goTenna Pro there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
@@ -22,7 +21,7 @@
         "vendor": "goTenna",
         "versions": [
           {
-            "lessThanOrEqual": "1.61",
+            "lessThan": "2.0.3",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2024/CVE-2024-47183.json

@@ -3,7 +3,6 @@
     "cna": "github_m",
     "cveId": "CVE-2024-47183",
     "description": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc",

data/anchore/2024/CVE-2024-47768.json

@@ -3,7 +3,6 @@
     "cna": "github_m",
     "cveId": "CVE-2024-47768",
     "description": "Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://github.com/Lif-Platforms/Lif-Auth-Server/commit/8dbd7cad914a8b939451c652bfb716aa796f754e",

data/anchore/2024/CVE-2024-47769.json

@@ -3,7 +3,6 @@
     "cna": "github_m",
     "cveId": "CVE-2024-47769",
     "description": "IDURAR is open source ERP CRM accounting invoicing software. The vulnerability exists in the corePublicRouter.js file. Using the reference usage here, it is identified that the public endpoint is accessible to an unauthenticated user. The user's input is directly appended to the join statement without additional checks. This allows an attacker to send URL encoded malicious payload. The directory structure can be escaped to read system files by adding an encoded string (payload) at subpath location.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://github.com/idurar/idurar-erp-crm/commit/949bc6fe31f3175c9e1864d30cf6c8110179ac14",

data/anchore/2024/CVE-2024-7617.json

@@ -3,7 +3,6 @@
     "cna": "wordfence",
     "cveId": "CVE-2024-7617",
     "description": "The Contact Form to Any API plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 form fields in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://plugins.trac.wordpress.org/browser/contact-form-to-any-api/trunk/admin/partials/cf7-to-any-api-admin-entries.php",

data/anchore/2024/CVE-2024-7714.json

@@ -3,7 +3,6 @@
     "cna": "wpscan",
     "cveId": "CVE-2024-7714",
     "description": "The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and  'ays_chatgpt_save_feedback'",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://wpscan.com/vulnerability/04447c76-a61b-4091-a510-c76fc8ca5664/"

data/anchore/2024/CVE-2024-8379.json

@@ -3,7 +3,6 @@
     "cna": "wpscan",
     "cveId": "CVE-2024-8379",
     "description": "The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://wpscan.com/vulnerability/a3463d5a-8215-4958-a6c0-039681c35a50/"

data/anchore/2024/CVE-2024-8486.json

@@ -3,7 +3,6 @@
     "cna": "wordfence",
     "cveId": "CVE-2024-8486",
     "description": "The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php#L1168",

data/anchore/2024/CVE-2024-8499.json

@@ -3,7 +3,6 @@
     "cna": "wordfence",
     "cveId": "CVE-2024-8499",
     "description": "The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘render_review_request_notice’ function in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/trunk/admin/class-thwcfd-admin.php#L426",
@@ -16,8 +15,7 @@
       {
         "collectionURL": "https://wordpress.org/plugins",
         "cpes": [
-          "cpe:2.3:a:themehigh:checkout_field_editor_for_woocommerce:*:*:*:*:*:wordpress:*:*",
-          "cpe:2.3:a:themehigh:checkout_field_editor_for_woocommerce:*:*:*:*:pro:wordpress:*:*"
+          "cpe:2.3:a:themehigh:checkout_field_editor_for_woocommerce:*:*:*:*:*:wordpress:*:*"
         ],
         "packageName": "woo-checkout-field-editor-pro",
         "packageType": "wordpress-plugin",

data/anchore/2024/CVE-2024-8519.json

@@ -3,7 +3,6 @@
     "cna": "wordfence",
     "cveId": "CVE-2024-8519",
     "description": "The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
-    "needsReview": true,
     "reason": "Added CPE configurations because not yet analyzed by NVD.",
     "references": [
       "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/core/class-shortcodes.php#L433",