Publish Advisories

GHSA-vjqc-g788-f378 GHSA-2pwj-8mjg-j34f GHSA-47rx-9m4v-5f59 GHSA-65vg-43vj-r32c GHSA-6xjf-hqcm-9g3f GHSA-7pp5-c4g8-xxc4 GHSA-9xp2-5x23-fhj5 GHSA-gjq6-76gc-q75p GHSA-h67p-q5m6-859h GHSA-hfqr-7mcf-f22q
github · Feb 23, 2024 · b56da45 · b56da45
1 parent ad6a036
commit b56da45
Show file tree

Hide file tree

Showing 10 changed files with 385 additions and 1 deletion.
diff --git a/advisories/github-reviewed/2024/02/GHSA-vjqc-g788-f378/GHSA-vjqc-g788-f378.json b/advisories/github-reviewed/2024/02/GHSA-vjqc-g788-f378/GHSA-vjqc-g788-f378.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vjqc-g788-f378",
-  "modified": "2024-02-21T00:21:28Z",
+  "modified": "2024-02-23T12:30:30Z",
   "published": "2024-02-20T12:31:00Z",
   "aliases": [
     "CVE-2023-50270"
@@ -53,6 +53,10 @@
       "type": "WEB",
       "url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
+    },
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2024/02/20/3"

diff --git a/advisories/unreviewed/2024/02/GHSA-2pwj-8mjg-j34f/GHSA-2pwj-8mjg-j34f.json b/advisories/unreviewed/2024/02/GHSA-2pwj-8mjg-j34f/GHSA-2pwj-8mjg-j34f.json
@@ -0,0 +1,39 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2pwj-8mjg-j34f",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2023-4826"
+  ],
+  "details": "The SocialDriver WordPress theme before version 2024 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack.",
+  "severity": [
+
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4826"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/99ec0add-8f4d-4d68-91aa-80b1631a53bf"
+    },
+    {
+      "type": "WEB",
+      "url": "http://socialdriver.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T10:15:07Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/02/GHSA-47rx-9m4v-5f59/GHSA-47rx-9m4v-5f59.json b/advisories/unreviewed/2024/02/GHSA-47rx-9m4v-5f59/GHSA-47rx-9m4v-5f59.json
@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-47rx-9m4v-5f59",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2024-1360"
+  ],
+  "details": "The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1360"
+    },
+    {
+      "type": "WEB",
+      "url": "https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T11:15:08Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/02/GHSA-65vg-43vj-r32c/GHSA-65vg-43vj-r32c.json b/advisories/unreviewed/2024/02/GHSA-65vg-43vj-r32c/GHSA-65vg-43vj-r32c.json
@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-65vg-43vj-r32c",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2024-1361"
+  ],
+  "details": "The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1361"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/extend-builder/api/api.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/233a29f5-12bf-4849-9b28-4458a0b0c940?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T11:15:08Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/02/GHSA-6xjf-hqcm-9g3f/GHSA-6xjf-hqcm-9g3f.json b/advisories/unreviewed/2024/02/GHSA-6xjf-hqcm-9g3f/GHSA-6xjf-hqcm-9g3f.json
@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xjf-hqcm-9g3f",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2024-25928"
+  ],
+  "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sitepact.This issue affects Sitepact: from n/a through 1.0.5.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25928"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/sitepact-klaviyo-contact-form-7/wordpress-sitepact-s-contact-form-7-extension-for-klaviyo-plugin-1-0-5-reflected-xss-via-sql-injection-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T12:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/02/GHSA-7pp5-c4g8-xxc4/GHSA-7pp5-c4g8-xxc4.json b/advisories/unreviewed/2024/02/GHSA-7pp5-c4g8-xxc4/GHSA-7pp5-c4g8-xxc4.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7pp5-c4g8-xxc4",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2024-26593"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.",
+  "severity": [
+
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/1f8d0691c50581ba6043f009ec9e8b9f78f09d5a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/491528935c9c48bf341d8b40eabc6c4fc5df6f2c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/609c7c1cc976e740d0fed4dbeec688b3ecb5dce2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/6be99c51829b24c914cef5bff6164877178e84d9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/7a14b8a477b88607d157c24aeb23e7389ec3319f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/d074d5ff5ae77b18300e5079c6bda6342a4d44b7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T10:15:07Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/02/GHSA-9xp2-5x23-fhj5/GHSA-9xp2-5x23-fhj5.json b/advisories/unreviewed/2024/02/GHSA-9xp2-5x23-fhj5/GHSA-9xp2-5x23-fhj5.json
@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9xp2-5x23-fhj5",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2024-25915"
+  ],
+  "details": "Server-Side Request Forgery (SSRF) vulnerability in Raaj Trambadia Pexels: Free Stock Photos.This issue affects Pexels: Free Stock Photos: from n/a through 1.2.2.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25915"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/wp-pexels-free-stock-photos/wordpress-pexels-free-stock-photos-plugin-1-2-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T12:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/02/GHSA-gjq6-76gc-q75p/GHSA-gjq6-76gc-q75p.json b/advisories/unreviewed/2024/02/GHSA-gjq6-76gc-q75p/GHSA-gjq6-76gc-q75p.json
@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gjq6-76gc-q75p",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2024-1590"
+  ],
+  "details": "The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1590"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3039750%40pagelayer&new=3039750%40pagelayer&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e635dfb3-002d-4197-b14a-0136a1990a75?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T10:15:07Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/02/GHSA-h67p-q5m6-859h/GHSA-h67p-q5m6-859h.json b/advisories/unreviewed/2024/02/GHSA-h67p-q5m6-859h/GHSA-h67p-q5m6-859h.json
@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h67p-q5m6-859h",
+  "modified": "2024-02-23T12:30:31Z",
+  "published": "2024-02-23T12:30:31Z",
+  "aliases": [
+    "CVE-2024-1362"
+  ],
+  "details": "The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1362"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/src/PageBuilder.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5e7a994-c489-4aea-a9bb-898bc92cae4e?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-23T11:15:08Z"
+  }
+}