From 298599fe2724390da8821345aedd98938db0d181 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 12:31:27 +0000 Subject: [PATCH] Publish Advisories GHSA-95gx-prcc-xj69 GHSA-g57x-f29r-g9gv GHSA-wvf7-262j-g8m8 --- .../GHSA-95gx-prcc-xj69.json | 54 +++++++++++++++++++ .../GHSA-g57x-f29r-g9gv.json | 38 +++++++++++++ .../GHSA-wvf7-262j-g8m8.json | 38 +++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 advisories/unreviewed/2024/07/GHSA-95gx-prcc-xj69/GHSA-95gx-prcc-xj69.json create mode 100644 advisories/unreviewed/2024/07/GHSA-g57x-f29r-g9gv/GHSA-g57x-f29r-g9gv.json create mode 100644 advisories/unreviewed/2024/07/GHSA-wvf7-262j-g8m8/GHSA-wvf7-262j-g8m8.json diff --git a/advisories/unreviewed/2024/07/GHSA-95gx-prcc-xj69/GHSA-95gx-prcc-xj69.json b/advisories/unreviewed/2024/07/GHSA-95gx-prcc-xj69/GHSA-95gx-prcc-xj69.json new file mode 100644 index 0000000000000..79e0dedd18ee4 --- /dev/null +++ b/advisories/unreviewed/2024/07/GHSA-95gx-prcc-xj69/GHSA-95gx-prcc-xj69.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-95gx-prcc-xj69", + "modified": "2024-07-20T12:30:25Z", + "published": "2024-07-20T12:30:25Z", + "aliases": [ + "CVE-2024-6848" + ], + "details": "The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 1.26.6 due to insufficient input sanitization and output escaping affecting the boldgrid_canvas_image AJAX endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6848" + }, + { + "type": "WEB", + "url": "https://github.com/BoldGrid/post-and-page-builder/issues/612" + }, + { + "type": "WEB", + "url": "https://github.com/BoldGrid/post-and-page-builder/pull/613/commits/64c33a6d0c9dbb0151d3af5fee9e026df6c5a2f6" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/post-and-page-builder/tags/1.26.6/includes/class-boldgrid-editor-ajax.php#L372" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/post-and-page-builder/#developers" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d5dcec8-fa36-43ab-9a35-0b391fe1d88e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-07-20T12:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/07/GHSA-g57x-f29r-g9gv/GHSA-g57x-f29r-g9gv.json b/advisories/unreviewed/2024/07/GHSA-g57x-f29r-g9gv/GHSA-g57x-f29r-g9gv.json new file mode 100644 index 0000000000000..a9b01b91057b3 --- /dev/null +++ b/advisories/unreviewed/2024/07/GHSA-g57x-f29r-g9gv/GHSA-g57x-f29r-g9gv.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g57x-f29r-g9gv", + "modified": "2024-07-20T12:30:25Z", + "published": "2024-07-20T12:30:25Z", + "aliases": [ + "CVE-2024-37562" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BracketSpace Simple Post Notes allows Stored XSS.This issue affects Simple Post Notes: from n/a through 1.7.7.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37562" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/simple-post-notes/wordpress-simple-post-notes-plugin-1-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-07-20T10:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/07/GHSA-wvf7-262j-g8m8/GHSA-wvf7-262j-g8m8.json b/advisories/unreviewed/2024/07/GHSA-wvf7-262j-g8m8/GHSA-wvf7-262j-g8m8.json new file mode 100644 index 0000000000000..d1f0570a3e484 --- /dev/null +++ b/advisories/unreviewed/2024/07/GHSA-wvf7-262j-g8m8/GHSA-wvf7-262j-g8m8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wvf7-262j-g8m8", + "modified": "2024-07-20T12:30:25Z", + "published": "2024-07-20T12:30:25Z", + "aliases": [ + "CVE-2024-37561" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jamie Bergen Plugin Notes Plus allows Stored XSS.This issue affects Plugin Notes Plus: from n/a through 1.2.6.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37561" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/plugin-notes-plus/wordpress-plugin-notes-plus-plugin-1-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-07-20T10:15:02Z" + } +} \ No newline at end of file