diff --git a/mapping.csv b/mapping.csv index 665a8af0413..a1a0b708950 100644 --- a/mapping.csv +++ b/mapping.csv @@ -250443,3 +250443,33 @@ vulnerability,CVE-2024-47077,vulnerability--6e7faa8b-020d-4a5b-8ae1-a18b2cb135b2 vulnerability,CVE-2024-47186,vulnerability--bf62d72f-aadb-497c-a18e-094b5ebfaa54 vulnerability,CVE-2024-47070,vulnerability--2c87e502-c8ab-42b1-b035-5fb16a0a19d0 vulnerability,CVE-2024-47182,vulnerability--d8507f99-d3e4-469e-883e-4fb0e9c40bdc +vulnerability,CVE-2024-9316,vulnerability--834de480-7a2c-4ed9-9ee6-4e1ee65d882c +vulnerability,CVE-2024-9317,vulnerability--ecf2ff50-0afb-43de-b41c-c0fd1520361c +vulnerability,CVE-2024-9295,vulnerability--e3e24298-f846-4d10-a52a-c3ed11db19b0 +vulnerability,CVE-2024-9299,vulnerability--11b0e8f6-f728-4aae-b1cb-9b21978987aa +vulnerability,CVE-2024-9319,vulnerability--4e7b6c97-901f-41e9-9974-81e01892349a +vulnerability,CVE-2024-9300,vulnerability--edd64d56-8f06-4f8a-b0f0-e6c6d2a42784 +vulnerability,CVE-2024-9318,vulnerability--33444de0-280b-48ea-95e9-05674f0ac688 +vulnerability,CVE-2024-9297,vulnerability--313ad78b-8a01-4f58-8375-465debe85838 +vulnerability,CVE-2024-9315,vulnerability--4e2fb5b9-d2cf-4077-918a-63e57260f629 +vulnerability,CVE-2024-9296,vulnerability--ef031c79-6ebb-45a1-a038-fab243b55c06 +vulnerability,CVE-2024-9298,vulnerability--49e2bbe6-efce-44fc-8f5f-67062c053789 +vulnerability,CVE-2024-9023,vulnerability--6899b06d-23c1-4dc3-ae23-ffc6451bee2f +vulnerability,CVE-2024-9320,vulnerability--b43b8e89-ace3-4ba3-95ef-cd52a80836c3 +vulnerability,CVE-2024-9189,vulnerability--f9ed7de6-66a6-428d-bdda-19c620300175 +vulnerability,CVE-2024-8353,vulnerability--8c140e08-5039-4ccc-ae3d-d24e041ea27f +vulnerability,CVE-2024-8189,vulnerability--63597722-3daa-4ba7-b585-ff27f4ea9f5a +vulnerability,CVE-2024-8788,vulnerability--3c92ac67-9de8-4ae3-9fe9-b3a9f50bcf3f +vulnerability,CVE-2024-8547,vulnerability--69517506-21ca-43de-807f-64a726189f57 +vulnerability,CVE-2024-8715,vulnerability--24e63025-2fd5-40cb-80b0-e7e72e88f25e +vulnerability,CVE-2024-8712,vulnerability--101c9c44-deea-423a-9a2a-059b332484fa +vulnerability,CVE-2024-23961,vulnerability--3a7ab6d5-5e26-4754-94d2-6adb955f3dae +vulnerability,CVE-2024-23957,vulnerability--e366e75a-26a1-49c9-a700-96f197062d09 +vulnerability,CVE-2024-23959,vulnerability--5f4061f8-1121-4b74-bc1d-c2c616c1ea03 +vulnerability,CVE-2024-23938,vulnerability--f5834857-d14c-4313-8d26-6a1477b2f342 +vulnerability,CVE-2024-23967,vulnerability--196f5dda-ed2f-4afa-8379-0118f45e2627 +vulnerability,CVE-2024-23960,vulnerability--7614ba8c-87a8-4053-b8c9-85acca5a8262 +vulnerability,CVE-2024-23923,vulnerability--f261d37f-c7c2-42d3-a75b-cff05942f18d +vulnerability,CVE-2024-23958,vulnerability--0e31a059-2540-402d-b710-3ce656708401 +vulnerability,CVE-2024-23924,vulnerability--637585fc-6a9e-418d-9aba-63152599585c +vulnerability,CVE-2024-23935,vulnerability--09f23506-9328-41ea-a308-f3e2565a2c73 diff --git a/objects/vulnerability/vulnerability--09f23506-9328-41ea-a308-f3e2565a2c73.json b/objects/vulnerability/vulnerability--09f23506-9328-41ea-a308-f3e2565a2c73.json new file mode 100644 index 00000000000..33438a3a210 --- /dev/null +++ b/objects/vulnerability/vulnerability--09f23506-9328-41ea-a308-f3e2565a2c73.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--3e13e0be-713b-48b1-97d0-11f0c13618ba", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--09f23506-9328-41ea-a308-f3e2565a2c73", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.317867Z", + "modified": "2024-09-29T00:22:41.317867Z", + "name": "CVE-2024-23935", + "description": "Alpine Halo9 DecodeUTF7 Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the DecodeUTF7 function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.\n\nWas ZDI-CAN-23249", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23935" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--0e31a059-2540-402d-b710-3ce656708401.json b/objects/vulnerability/vulnerability--0e31a059-2540-402d-b710-3ce656708401.json new file mode 100644 index 00000000000..079eb3b998e --- /dev/null +++ b/objects/vulnerability/vulnerability--0e31a059-2540-402d-b710-3ce656708401.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--ff6a25e3-c46b-437c-8c3d-5aa8e769adce", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--0e31a059-2540-402d-b710-3ce656708401", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.314337Z", + "modified": "2024-09-29T00:22:41.314337Z", + "name": "CVE-2024-23958", + "description": "Autel MaxiCharger AC Elite Business C50 BLE Hardcoded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the BLE AppAuthenRequest command handler. The handler uses hardcoded credentials as a fallback in case of an authentication request failure. An attacker can leverage this vulnerability to bypass authentication on the system.\n\nWas ZDI-CAN-23196", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23958" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--101c9c44-deea-423a-9a2a-059b332484fa.json b/objects/vulnerability/vulnerability--101c9c44-deea-423a-9a2a-059b332484fa.json new file mode 100644 index 00000000000..f037012faca --- /dev/null +++ b/objects/vulnerability/vulnerability--101c9c44-deea-423a-9a2a-059b332484fa.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--164a4942-fcb3-4b00-9a64-b47dafe5dce6", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--101c9c44-deea-423a-9a2a-059b332484fa", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.111339Z", + "modified": "2024-09-29T00:22:41.111339Z", + "name": "CVE-2024-8712", + "description": "The GTM Server Side plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.19. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-8712" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--11b0e8f6-f728-4aae-b1cb-9b21978987aa.json b/objects/vulnerability/vulnerability--11b0e8f6-f728-4aae-b1cb-9b21978987aa.json new file mode 100644 index 00000000000..3c63d47adf4 --- /dev/null +++ b/objects/vulnerability/vulnerability--11b0e8f6-f728-4aae-b1cb-9b21978987aa.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--72e42a08-5e01-44ae-ad31-4089ebf9b60a", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--11b0e8f6-f728-4aae-b1cb-9b21978987aa", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.04425Z", + "modified": "2024-09-29T00:22:41.04425Z", + "name": "CVE-2024-9299", + "description": "A vulnerability classified as problematic has been found in SourceCodester Online Railway Reservation System 1.0. This affects an unknown part of the file /?page=reserve. The manipulation of the argument First Name/Middle Name/Last Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9299" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--196f5dda-ed2f-4afa-8379-0118f45e2627.json b/objects/vulnerability/vulnerability--196f5dda-ed2f-4afa-8379-0118f45e2627.json new file mode 100644 index 00000000000..45d19edeb75 --- /dev/null +++ b/objects/vulnerability/vulnerability--196f5dda-ed2f-4afa-8379-0118f45e2627.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--deb63695-09ab-454a-a577-24abc68c811d", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--196f5dda-ed2f-4afa-8379-0118f45e2627", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.292113Z", + "modified": "2024-09-29T00:22:41.292113Z", + "name": "CVE-2024-23967", + "description": "Autel MaxiCharger AC Elite Business C50 WebSocket Base64 Decoding Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 chargers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the handling of base64-encoded data within WebSocket messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.\n\nWas ZDI-CAN-23230", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23967" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--24e63025-2fd5-40cb-80b0-e7e72e88f25e.json b/objects/vulnerability/vulnerability--24e63025-2fd5-40cb-80b0-e7e72e88f25e.json new file mode 100644 index 00000000000..49ef80a7fef --- /dev/null +++ b/objects/vulnerability/vulnerability--24e63025-2fd5-40cb-80b0-e7e72e88f25e.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--047c6ead-323f-41bd-91cd-8296bb9c74e7", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--24e63025-2fd5-40cb-80b0-e7e72e88f25e", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.109905Z", + "modified": "2024-09-29T00:22:41.109905Z", + "name": "CVE-2024-8715", + "description": "The Simple LDAP Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-8715" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--313ad78b-8a01-4f58-8375-465debe85838.json b/objects/vulnerability/vulnerability--313ad78b-8a01-4f58-8375-465debe85838.json new file mode 100644 index 00000000000..3f260bbd3f4 --- /dev/null +++ b/objects/vulnerability/vulnerability--313ad78b-8a01-4f58-8375-465debe85838.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--0f2a5eb6-8c29-4ebb-a4a9-157e1822dfcd", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--313ad78b-8a01-4f58-8375-465debe85838", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.052985Z", + "modified": "2024-09-29T00:22:41.052985Z", + "name": "CVE-2024-9297", + "description": "A vulnerability was found in SourceCodester Online Railway Reservation System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/. The manipulation of the argument page with the input trains/schedules/system_info leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9297" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--33444de0-280b-48ea-95e9-05674f0ac688.json b/objects/vulnerability/vulnerability--33444de0-280b-48ea-95e9-05674f0ac688.json new file mode 100644 index 00000000000..26d52ad4c68 --- /dev/null +++ b/objects/vulnerability/vulnerability--33444de0-280b-48ea-95e9-05674f0ac688.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--a9739828-2a87-4467-8646-e25a1945250f", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--33444de0-280b-48ea-95e9-05674f0ac688", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.050318Z", + "modified": "2024-09-29T00:22:41.050318Z", + "name": "CVE-2024-9318", + "description": "A vulnerability, which was classified as critical, has been found in SourceCodester Advocate Office Management System 1.0. Affected by this issue is some unknown functionality of the file /control/activate.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9318" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--3a7ab6d5-5e26-4754-94d2-6adb955f3dae.json b/objects/vulnerability/vulnerability--3a7ab6d5-5e26-4754-94d2-6adb955f3dae.json new file mode 100644 index 00000000000..351c02b417c --- /dev/null +++ b/objects/vulnerability/vulnerability--3a7ab6d5-5e26-4754-94d2-6adb955f3dae.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--fd49ea2e-b69d-4763-84a4-3492e3ee9b5a", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--3a7ab6d5-5e26-4754-94d2-6adb955f3dae", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.27322Z", + "modified": "2024-09-29T00:22:41.27322Z", + "name": "CVE-2024-23961", + "description": "Alpine Halo9 UPDM_wemCmdUpdFSpeDecomp Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the UPDM_wemCmdUpdFSpeDecomp function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.\n\nWas ZDI-CAN-23306", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23961" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--3c92ac67-9de8-4ae3-9fe9-b3a9f50bcf3f.json b/objects/vulnerability/vulnerability--3c92ac67-9de8-4ae3-9fe9-b3a9f50bcf3f.json new file mode 100644 index 00000000000..844880583c9 --- /dev/null +++ b/objects/vulnerability/vulnerability--3c92ac67-9de8-4ae3-9fe9-b3a9f50bcf3f.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--79e0414f-dbea-4dd3-8f41-dd00a46e0f76", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--3c92ac67-9de8-4ae3-9fe9-b3a9f50bcf3f", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.085638Z", + "modified": "2024-09-29T00:22:41.085638Z", + "name": "CVE-2024-8788", + "description": "The EU/UK VAT Manager for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.11. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-8788" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--49e2bbe6-efce-44fc-8f5f-67062c053789.json b/objects/vulnerability/vulnerability--49e2bbe6-efce-44fc-8f5f-67062c053789.json new file mode 100644 index 00000000000..8a69776bdad --- /dev/null +++ b/objects/vulnerability/vulnerability--49e2bbe6-efce-44fc-8f5f-67062c053789.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--699a0206-4721-4615-a785-dbb74d0922f5", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--49e2bbe6-efce-44fc-8f5f-67062c053789", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.06115Z", + "modified": "2024-09-29T00:22:41.06115Z", + "name": "CVE-2024-9298", + "description": "A vulnerability was found in SourceCodester Online Railway Reservation System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /?page=tickets of the component Ticket Handler. The manipulation of the argument id leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9298" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--4e2fb5b9-d2cf-4077-918a-63e57260f629.json b/objects/vulnerability/vulnerability--4e2fb5b9-d2cf-4077-918a-63e57260f629.json new file mode 100644 index 00000000000..e84d8c3a773 --- /dev/null +++ b/objects/vulnerability/vulnerability--4e2fb5b9-d2cf-4077-918a-63e57260f629.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--2455b882-df3e-4d4c-b010-341030f3fb40", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--4e2fb5b9-d2cf-4077-918a-63e57260f629", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.055322Z", + "modified": "2024-09-29T00:22:41.055322Z", + "name": "CVE-2024-9315", + "description": "A vulnerability was found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/maintenance/manage_department.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9315" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--4e7b6c97-901f-41e9-9974-81e01892349a.json b/objects/vulnerability/vulnerability--4e7b6c97-901f-41e9-9974-81e01892349a.json new file mode 100644 index 00000000000..cce8a802c41 --- /dev/null +++ b/objects/vulnerability/vulnerability--4e7b6c97-901f-41e9-9974-81e01892349a.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--98dccea7-1ff4-4553-8a7f-8fd664deecdf", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--4e7b6c97-901f-41e9-9974-81e01892349a", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.046019Z", + "modified": "2024-09-29T00:22:41.046019Z", + "name": "CVE-2024-9319", + "description": "A vulnerability, which was classified as critical, was found in SourceCodester Online Timesheet App 1.0. This affects an unknown part of the file /endpoint/delete-timesheet.php. The manipulation of the argument timesheet leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9319" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--5f4061f8-1121-4b74-bc1d-c2c616c1ea03.json b/objects/vulnerability/vulnerability--5f4061f8-1121-4b74-bc1d-c2c616c1ea03.json new file mode 100644 index 00000000000..aeceb01c740 --- /dev/null +++ b/objects/vulnerability/vulnerability--5f4061f8-1121-4b74-bc1d-c2c616c1ea03.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--99396123-a0bc-47c3-bf45-dcdbb23c63a2", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--5f4061f8-1121-4b74-bc1d-c2c616c1ea03", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.278723Z", + "modified": "2024-09-29T00:22:41.278723Z", + "name": "CVE-2024-23959", + "description": "Autel MaxiCharger AC Elite Business C50 BLE AppChargingControl Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the handling of the AppChargingControl BLE command. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.\n\nWas ZDI-CAN-23194", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23959" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--63597722-3daa-4ba7-b585-ff27f4ea9f5a.json b/objects/vulnerability/vulnerability--63597722-3daa-4ba7-b585-ff27f4ea9f5a.json new file mode 100644 index 00000000000..2b7ae948a39 --- /dev/null +++ b/objects/vulnerability/vulnerability--63597722-3daa-4ba7-b585-ff27f4ea9f5a.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--a80a9291-e825-476d-a5ee-31ff2f69b807", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--63597722-3daa-4ba7-b585-ff27f4ea9f5a", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.076383Z", + "modified": "2024-09-29T00:22:41.076383Z", + "name": "CVE-2024-8189", + "description": "The WP MultiTasking – WP Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpmt_menu_name’ parameter in all versions up to, and including, 0.1.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-8189" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--637585fc-6a9e-418d-9aba-63152599585c.json b/objects/vulnerability/vulnerability--637585fc-6a9e-418d-9aba-63152599585c.json new file mode 100644 index 00000000000..eea02b145f6 --- /dev/null +++ b/objects/vulnerability/vulnerability--637585fc-6a9e-418d-9aba-63152599585c.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--c99eab89-1711-4148-b5bb-fac51662720f", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--637585fc-6a9e-418d-9aba-63152599585c", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.316048Z", + "modified": "2024-09-29T00:22:41.316048Z", + "name": "CVE-2024-23924", + "description": "Alpine Halo9 UPDM_wemCmdCreatSHA256Hash Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the UPDM_wemCmdCreatSHA256Hash function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.\n\nWas ZDI-CAN-23105", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23924" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--6899b06d-23c1-4dc3-ae23-ffc6451bee2f.json b/objects/vulnerability/vulnerability--6899b06d-23c1-4dc3-ae23-ffc6451bee2f.json new file mode 100644 index 00000000000..6a5a8a71691 --- /dev/null +++ b/objects/vulnerability/vulnerability--6899b06d-23c1-4dc3-ae23-ffc6451bee2f.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--4f307d3c-d549-4ba6-9db4-21ac47b96609", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--6899b06d-23c1-4dc3-ae23-ffc6451bee2f", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.062648Z", + "modified": "2024-09-29T00:22:41.062648Z", + "name": "CVE-2024-9023", + "description": "The WP-WebAuthn plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wwa_login_form shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9023" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--69517506-21ca-43de-807f-64a726189f57.json b/objects/vulnerability/vulnerability--69517506-21ca-43de-807f-64a726189f57.json new file mode 100644 index 00000000000..c8b30f7276a --- /dev/null +++ b/objects/vulnerability/vulnerability--69517506-21ca-43de-807f-64a726189f57.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--d8202ab6-de4b-4ca9-84f6-719424c85c87", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--69517506-21ca-43de-807f-64a726189f57", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.095654Z", + "modified": "2024-09-29T00:22:41.095654Z", + "name": "CVE-2024-8547", + "description": "The Simple Popup Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [popup] shortcode in all versions up to, and including, 4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-8547" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--7614ba8c-87a8-4053-b8c9-85acca5a8262.json b/objects/vulnerability/vulnerability--7614ba8c-87a8-4053-b8c9-85acca5a8262.json new file mode 100644 index 00000000000..02500aba029 --- /dev/null +++ b/objects/vulnerability/vulnerability--7614ba8c-87a8-4053-b8c9-85acca5a8262.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--1a3568ea-5b8e-4ac8-a047-02dee2df235b", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--7614ba8c-87a8-4053-b8c9-85acca5a8262", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.298346Z", + "modified": "2024-09-29T00:22:41.298346Z", + "name": "CVE-2024-23960", + "description": "Alpine Halo9 Improper Verification of Cryptographic Signature Vulnerability. This vulnerability allows physically present attackers to bypass signature validation mechanism on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the firmware metadata signature validation mechanism. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.\n\nWas ZDI-CAN-23102", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23960" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--834de480-7a2c-4ed9-9ee6-4e1ee65d882c.json b/objects/vulnerability/vulnerability--834de480-7a2c-4ed9-9ee6-4e1ee65d882c.json new file mode 100644 index 00000000000..7758d80e4cc --- /dev/null +++ b/objects/vulnerability/vulnerability--834de480-7a2c-4ed9-9ee6-4e1ee65d882c.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--40f1960a-b82d-42bc-abad-8aa6a06691b2", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--834de480-7a2c-4ed9-9ee6-4e1ee65d882c", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.032Z", + "modified": "2024-09-29T00:22:41.032Z", + "name": "CVE-2024-9316", + "description": "A vulnerability classified as critical has been found in code-projects Blood Bank Management System 1.0. Affected is an unknown function of the file /admin/blood/update/B+.php. The manipulation of the argument Bloodname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9316" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--8c140e08-5039-4ccc-ae3d-d24e041ea27f.json b/objects/vulnerability/vulnerability--8c140e08-5039-4ccc-ae3d-d24e041ea27f.json new file mode 100644 index 00000000000..1dc0d5cf923 --- /dev/null +++ b/objects/vulnerability/vulnerability--8c140e08-5039-4ccc-ae3d-d24e041ea27f.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--5539e8ed-a052-4da7-a6db-589f57960c73", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--8c140e08-5039-4ccc-ae3d-d24e041ea27f", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.074052Z", + "modified": "2024-09-29T00:22:41.074052Z", + "name": "CVE-2024-8353", + "description": "The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-8353" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--b43b8e89-ace3-4ba3-95ef-cd52a80836c3.json b/objects/vulnerability/vulnerability--b43b8e89-ace3-4ba3-95ef-cd52a80836c3.json new file mode 100644 index 00000000000..519ef36234c --- /dev/null +++ b/objects/vulnerability/vulnerability--b43b8e89-ace3-4ba3-95ef-cd52a80836c3.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--43e0e95e-d5d4-4ecf-b80f-eb8e60f6fa7a", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--b43b8e89-ace3-4ba3-95ef-cd52a80836c3", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.063762Z", + "modified": "2024-09-29T00:22:41.063762Z", + "name": "CVE-2024-9320", + "description": "A vulnerability has been found in SourceCodester Online Timesheet App 1.0 and classified as problematic. This vulnerability affects unknown code of the file /endpoint/add-timesheet.php of the component Add Timesheet Form. The manipulation of the argument day/task leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9320" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--e366e75a-26a1-49c9-a700-96f197062d09.json b/objects/vulnerability/vulnerability--e366e75a-26a1-49c9-a700-96f197062d09.json new file mode 100644 index 00000000000..dc3b2fe8cf8 --- /dev/null +++ b/objects/vulnerability/vulnerability--e366e75a-26a1-49c9-a700-96f197062d09.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--939a542b-a59d-4444-8d6f-897d692e0fa0", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--e366e75a-26a1-49c9-a700-96f197062d09", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.275045Z", + "modified": "2024-09-29T00:22:41.275045Z", + "name": "CVE-2024-23957", + "description": "Autel MaxiCharger AC Elite Business C50 DLB_HostHeartBeat Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the DLB_HostHeartBeat handler of the DLB protocol implementation. When parsing an AES key, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.\n\nWas ZDI-CAN-23241", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23957" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--e3e24298-f846-4d10-a52a-c3ed11db19b0.json b/objects/vulnerability/vulnerability--e3e24298-f846-4d10-a52a-c3ed11db19b0.json new file mode 100644 index 00000000000..ab9df38c21c --- /dev/null +++ b/objects/vulnerability/vulnerability--e3e24298-f846-4d10-a52a-c3ed11db19b0.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--d8279b1d-554c-431c-96ad-048651c31fd5", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--e3e24298-f846-4d10-a52a-c3ed11db19b0", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.042708Z", + "modified": "2024-09-29T00:22:41.042708Z", + "name": "CVE-2024-9295", + "description": "A vulnerability was found in SourceCodester Advocate Office Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /control/login.php. The manipulation of the argument username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9295" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--ecf2ff50-0afb-43de-b41c-c0fd1520361c.json b/objects/vulnerability/vulnerability--ecf2ff50-0afb-43de-b41c-c0fd1520361c.json new file mode 100644 index 00000000000..e10940577bb --- /dev/null +++ b/objects/vulnerability/vulnerability--ecf2ff50-0afb-43de-b41c-c0fd1520361c.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--71d2485b-b995-48d1-b542-c9261e3626ef", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--ecf2ff50-0afb-43de-b41c-c0fd1520361c", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.033824Z", + "modified": "2024-09-29T00:22:41.033824Z", + "name": "CVE-2024-9317", + "description": "A vulnerability classified as critical was found in SourceCodester Online Eyewear Shop 1.0. Affected by this vulnerability is the function delete_category of the file /classes/Master.php?f=delete_category. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9317" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--edd64d56-8f06-4f8a-b0f0-e6c6d2a42784.json b/objects/vulnerability/vulnerability--edd64d56-8f06-4f8a-b0f0-e6c6d2a42784.json new file mode 100644 index 00000000000..39869fe384d --- /dev/null +++ b/objects/vulnerability/vulnerability--edd64d56-8f06-4f8a-b0f0-e6c6d2a42784.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--2f8d9b36-74bd-419c-92f2-32ead8a383aa", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--edd64d56-8f06-4f8a-b0f0-e6c6d2a42784", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.047835Z", + "modified": "2024-09-29T00:22:41.047835Z", + "name": "CVE-2024-9300", + "description": "A vulnerability classified as problematic was found in SourceCodester Online Railway Reservation System 1.0. This vulnerability affects unknown code of the file contact_us.php of the component Message Us Form. The manipulation of the argument fullname/email/message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9300" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--ef031c79-6ebb-45a1-a038-fab243b55c06.json b/objects/vulnerability/vulnerability--ef031c79-6ebb-45a1-a038-fab243b55c06.json new file mode 100644 index 00000000000..b4f3a1e8098 --- /dev/null +++ b/objects/vulnerability/vulnerability--ef031c79-6ebb-45a1-a038-fab243b55c06.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--4715f388-a70c-4425-b7b6-f4632296eb13", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--ef031c79-6ebb-45a1-a038-fab243b55c06", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.058393Z", + "modified": "2024-09-29T00:22:41.058393Z", + "name": "CVE-2024-9296", + "description": "A vulnerability was found in SourceCodester Advocate Office Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /control/forgot_pass.php. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9296" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--f261d37f-c7c2-42d3-a75b-cff05942f18d.json b/objects/vulnerability/vulnerability--f261d37f-c7c2-42d3-a75b-cff05942f18d.json new file mode 100644 index 00000000000..9aa9c83547e --- /dev/null +++ b/objects/vulnerability/vulnerability--f261d37f-c7c2-42d3-a75b-cff05942f18d.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--9156c433-a65c-4521-b2ef-b2c7d763c7ad", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--f261d37f-c7c2-42d3-a75b-cff05942f18d", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.299836Z", + "modified": "2024-09-29T00:22:41.299836Z", + "name": "CVE-2024-23923", + "description": "Alpine Halo9 prh_l2_sar_data_ind Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the prh_l2_sar_data_ind function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of root.\n\nWas ZDI-CAN-22945", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23923" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--f5834857-d14c-4313-8d26-6a1477b2f342.json b/objects/vulnerability/vulnerability--f5834857-d14c-4313-8d26-6a1477b2f342.json new file mode 100644 index 00000000000..d482dacb4fd --- /dev/null +++ b/objects/vulnerability/vulnerability--f5834857-d14c-4313-8d26-6a1477b2f342.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--e3b1c5ab-1317-4658-a9c7-683ace972906", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--f5834857-d14c-4313-8d26-6a1477b2f342", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.279992Z", + "modified": "2024-09-29T00:22:41.279992Z", + "name": "CVE-2024-23938", + "description": "Silicon Labs Gecko OS Debug Interface Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Silicon Labs Gecko OS. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the debug interface. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.\n\nWas ZDI-CAN-23184", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-23938" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--f9ed7de6-66a6-428d-bdda-19c620300175.json b/objects/vulnerability/vulnerability--f9ed7de6-66a6-428d-bdda-19c620300175.json new file mode 100644 index 00000000000..f1adad43ada --- /dev/null +++ b/objects/vulnerability/vulnerability--f9ed7de6-66a6-428d-bdda-19c620300175.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--9b05871c-2fa9-4b4b-b658-d28400992a6a", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--f9ed7de6-66a6-428d-bdda-19c620300175", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2024-09-29T00:22:41.064802Z", + "modified": "2024-09-29T00:22:41.064802Z", + "name": "CVE-2024-9189", + "description": "The EU/UK VAT Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the alg_wc_eu_vat_exempt_vat_from_admin() function in all versions up to, and including, 2.12.12. This makes it possible for unauthenticated attackers to update the VAT status for any order.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-9189" + } + ] + } + ] +} \ No newline at end of file