From b58e5ffef038aaa26022fb9773c9699a62ada198 Mon Sep 17 00:00:00 2001 From: Pierre Rudloff Date: Tue, 1 Apr 2025 21:19:29 +0200 Subject: [PATCH] Improve GHSA-v2rr-fhv8-mx74 --- .../GHSA-v2rr-fhv8-mx74.json | 30 +++++++++++++++++-- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/advisories/unreviewed/2025/03/GHSA-v2rr-fhv8-mx74/GHSA-v2rr-fhv8-mx74.json b/advisories/unreviewed/2025/03/GHSA-v2rr-fhv8-mx74/GHSA-v2rr-fhv8-mx74.json index a57071323e5f6..598f6525d26c8 100644 --- a/advisories/unreviewed/2025/03/GHSA-v2rr-fhv8-mx74/GHSA-v2rr-fhv8-mx74.json +++ b/advisories/unreviewed/2025/03/GHSA-v2rr-fhv8-mx74/GHSA-v2rr-fhv8-mx74.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-v2rr-fhv8-mx74", - "modified": "2025-03-26T21:31:06Z", + "modified": "2025-03-26T21:32:12Z", "published": "2025-03-26T06:31:37Z", "aliases": [ "CVE-2024-11847" ], + "summary": "Author+ Stored XSS via SVG", "details": "The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.", "severity": [ { @@ -13,19 +14,42 @@ "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "digimix/wp-svg-upload" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11847" }, + { + "type": "PACKAGE", + "url": "https://github.com/digimix/wp-svg-upload" + }, { "type": "WEB", "url": "https://wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65" } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-79" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null,