Publish Advisories

GHSA-5jqc-qj57-4hrc
GHSA-5wc3-v5j6-m54x
GHSA-6mj5-h7qr-54w9
GHSA-84rm-429m-4rw9
GHSA-878h-rqcq-mv3x
GHSA-9fr6-vrhc-9hmv
GHSA-f9vg-6v95-272r
GHSA-j8c5-63vq-fhwp
GHSA-jjx3-27m5-92gh
GHSA-m3h2-c325-9hxr
GHSA-qfjh-mvq6-c5p8
GHSA-r9cv-hj2f-58h4
GHSA-rp6h-498m-mg3v
GHSA-vw59-9q4v-cjr4
GHSA-wr7j-7cg5-p3pv

advisories/unreviewed/2024/06/GHSA-5jqc-qj57-4hrc/GHSA-5jqc-qj57-4hrc.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5jqc-qj57-4hrc",
+  "modified": "2024-06-04T21:32:20Z",
+  "published": "2024-06-04T21:32:20Z",
+  "aliases": [
+    "CVE-2024-36857"
+  ],
+  "details": "Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.",
+  "severity": [
+
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36857"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HackAllSec/CVEs/tree/main/Jan%20AFR%20vulnerability"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T19:20:14Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-5wc3-v5j6-m54x/GHSA-5wc3-v5j6-m54x.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5wc3-v5j6-m54x",
+  "modified": "2024-06-04T21:32:20Z",
+  "published": "2024-06-04T21:32:20Z",
+  "aliases": [
+    "CVE-2024-36604"
+  ],
+  "details": "Tenda O3V2 v1.0.0.12(3880) was discovered to contain a Blind Command Injection via stpEn parameter in the SetStp function. This vulnerability allows attackers to execute arbitrary commands with root privileges.",
+  "severity": [
+
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36604"
+    },
+    {
+      "type": "WEB",
+      "url": "https://exzettabyte.me/blind-command-injection-in-stp-service-on-tenda-o3v2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T19:20:13Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-6mj5-h7qr-54w9/GHSA-6mj5-h7qr-54w9.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6mj5-h7qr-54w9",
+  "modified": "2024-06-04T21:32:19Z",
+  "published": "2024-06-04T21:32:19Z",
+  "aliases": [
+    "CVE-2024-25095"
+  ],
+  "details": "Insertion of Sensitive Information into Log File vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through 6.9.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25095"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/yikes-inc-easy-mailchimp-extender/wordpress-easy-forms-for-mailchimp-plugin-6-8-10-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T19:18:45Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-84rm-429m-4rw9/GHSA-84rm-429m-4rw9.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-84rm-429m-4rw9",
+  "modified": "2024-06-04T21:32:22Z",
+  "published": "2024-06-04T21:32:22Z",
+  "aliases": [
+    "CVE-2024-4520"
+  ],
+  "details": "An improper access control vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically in version 20240410. This vulnerability allows any user on the server to access the chat history of any other user without requiring any form of interaction between the users. Exploitation of this vulnerability could lead to data breaches, including the exposure of sensitive personal details, financial data, or confidential conversations. Additionally, it could facilitate identity theft and manipulation or fraud through the unauthorized access to users' chat histories. This issue is due to insufficient access control mechanisms in the application's handling of chat history data.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4520"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/0dd2da9f-998d-45aa-a646-97391f524000"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T20:15:11Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-878h-rqcq-mv3x/GHSA-878h-rqcq-mv3x.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-878h-rqcq-mv3x",
+  "modified": "2024-06-04T21:32:21Z",
+  "published": "2024-06-04T21:32:21Z",
+  "aliases": [
+    "CVE-2024-37273"
+  ],
+  "details": "An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.",
+  "severity": [
+
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37273"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HackAllSec/CVEs/tree/main/Jan%20Arbitrary%20File%20Upload%20vulnerability"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T19:20:15Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-9fr6-vrhc-9hmv/GHSA-9fr6-vrhc-9hmv.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9fr6-vrhc-9hmv",
+  "modified": "2024-06-04T21:32:22Z",
+  "published": "2024-06-04T21:32:22Z",
+  "aliases": [
+    "CVE-2024-4220"
+  ],
+  "details": "Prior to 23.1, an information disclosure vulnerability exists within BeyondInsight which can allow an attacker to enumerate usernames.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4220"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.beyondtrust.com/trust-center/security-advisories/BT24-06"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T21:15:35Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-f9vg-6v95-272r/GHSA-f9vg-6v95-272r.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f9vg-6v95-272r",
+  "modified": "2024-06-04T21:32:22Z",
+  "published": "2024-06-04T21:32:22Z",
+  "aliases": [
+    "CVE-2024-30525"
+  ],
+  "details": "Missing Authorization vulnerability in moveaddons Move Addons for Elementor.This issue affects Move Addons for Elementor: from n/a through 1.2.9.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30525"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/move-addons/wordpress-move-addons-for-elementor-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T20:15:10Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-j8c5-63vq-fhwp/GHSA-j8c5-63vq-fhwp.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j8c5-63vq-fhwp",
+  "modified": "2024-06-04T21:32:19Z",
+  "published": "2024-06-04T21:32:19Z",
+  "aliases": [
+    "CVE-2024-35670"
+  ],
+  "details": "Broken Authentication vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.93.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35670"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/integrate-google-drive/wordpress-integrate-google-drive-plugin-1-3-93-broken-access-control-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T19:20:08Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-jjx3-27m5-92gh/GHSA-jjx3-27m5-92gh.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jjx3-27m5-92gh",
+  "modified": "2024-06-04T21:32:19Z",
+  "published": "2024-06-04T21:32:19Z",
+  "aliases": [
+    "CVE-2024-34759"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in VideoWhisper Picture Gallery allows Stored XSS.This issue affects Picture Gallery: from n/a through 1.5.11.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34759"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/picture-gallery/wordpress-picture-gallery-plugin-1-5-11-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T19:20:03Z"
+  }
+}

advisories/unreviewed/2024/06/GHSA-m3h2-c325-9hxr/GHSA-m3h2-c325-9hxr.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m3h2-c325-9hxr",
+  "modified": "2024-06-04T21:32:20Z",
+  "published": "2024-06-04T21:32:19Z",
+  "aliases": [
+    "CVE-2024-35672"
+  ],
+  "details": "Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.16.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35672"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/netgsm/wordpress-netgsm-plugin-2-9-16-broken-access-control-vulnerability-2?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-06-04T19:20:08Z"
+  }
+}