generated content from 2025-01-10

objects/vulnerability/vulnerability--002125bf-2454-4830-93c8-91c985ab3f43.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--783c7128-dcee-4814-88be-6da55ce904f7",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--002125bf-2454-4830-93c8-91c985ab3f43",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:44.734495Z",
+            "modified": "2025-01-10T00:21:44.734495Z",
+            "name": "CVE-2023-24010",
+            "description": "An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2023-24010"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--014d0191-f9b9-498c-8d66-2c61b3146ab8.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--759718f1-26eb-408c-8cac-ddf40c6eafdf",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--014d0191-f9b9-498c-8d66-2c61b3146ab8",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:47.438374Z",
+            "modified": "2025-01-10T00:21:47.438374Z",
+            "name": "CVE-2025-22151",
+            "description": "Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to information disclosure if the alternate type exposes sensitive fields and potential privilege escalation if the alternate type contains data intended for restricted access. This vulnerability is fixed in 0.257.0.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2025-22151"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--020c9a98-8054-43f1-b52a-b33cecdaa520.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--dd514c09-c5f3-4001-a0bf-05cbb7ab51c4",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--020c9a98-8054-43f1-b52a-b33cecdaa520",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:37.377655Z",
+            "modified": "2025-01-10T00:21:37.377655Z",
+            "name": "CVE-2024-13212",
+            "description": "A vulnerability classified as critical has been found in SingMR HouseRent 1.0. This affects the function singleUpload/upload of the file src/main/java/com/house/wym/controller/AddHouseController.java. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-13212"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--02969ed8-c45e-44b1-b797-46a45154fdf9.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--32b8e620-523a-427c-9844-e2594ffea746",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--02969ed8-c45e-44b1-b797-46a45154fdf9",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:37.407746Z",
+            "modified": "2025-01-10T00:21:37.407746Z",
+            "name": "CVE-2024-13279",
+            "description": "Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-13279"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--04877101-ced4-4d28-a00e-de6cf1ccc5cc.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--6440f4f6-738b-4a23-a1ac-c254daa515a4",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--04877101-ced4-4d28-a00e-de6cf1ccc5cc",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:47.489208Z",
+            "modified": "2025-01-10T00:21:47.489208Z",
+            "name": "CVE-2025-21599",
+            "description": "A Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to cause Denial of Service. \n\nReceipt of specifically malformed IPv6 packets, destined to the device, causes kernel memory to not be freed, resulting in memory exhaustion leading to a system crash and Denial of Service (DoS). Continuous receipt and processing of these packets will continue to exhaust kernel memory, creating a sustained Denial of Service (DoS) condition.\nThis issue only affects systems configured with IPv6.\n\nThis issue affects Junos OS Evolved: \n\n\n\n  *  from 22.4-EVO before 22.4R3-S5-EVO, \n  *  from 23.2-EVO before 23.2R2-S2-EVO, \n  *  from 23.4-EVO before 23.4R2-S2-EVO, \n  *  from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\n\n\n\n\nThis issue does not affect Juniper Networks Junos OS Evolved versions prior to 22.4R1-EVO.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2025-21599"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--048d24bb-8540-4d02-b399-254877ae8fd5.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--f8ba0fbf-d479-43d9-876b-d7c83caf6723",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--048d24bb-8540-4d02-b399-254877ae8fd5",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:47.400463Z",
+            "modified": "2025-01-10T00:21:47.400463Z",
+            "name": "CVE-2025-22811",
+            "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modeltheme MT Addons for Elementor allows Stored XSS.This issue affects MT Addons for Elementor: from n/a through 1.0.6.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2025-22811"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--05970bd3-9da5-427d-b024-65ab44533d18.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--99068df7-7d75-4608-a3f0-be6daa8a3a07",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--05970bd3-9da5-427d-b024-65ab44533d18",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:37.830871Z",
+            "modified": "2025-01-10T00:21:37.830871Z",
+            "name": "CVE-2024-6324",
+            "description": "An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-6324"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--06a256dd-a472-4549-bfc1-5134ee066a53.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--5a565878-5dd6-42d5-bac6-3b51573c407f",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--06a256dd-a472-4549-bfc1-5134ee066a53",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:47.546968Z",
+            "modified": "2025-01-10T00:21:47.546968Z",
+            "name": "CVE-2025-0345",
+            "description": "A vulnerability was found in leiyuxi cy-fast 1.0 and classified as critical. Affected by this issue is the function listData of the file /sys/menu/listData. The manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2025-0345"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--0836d97a-9c16-494b-b666-cd272ed3e305.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--92ae499f-45e2-4663-9369-78290785fed3",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0836d97a-9c16-494b-b666-cd272ed3e305",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:47.383574Z",
+            "modified": "2025-01-10T00:21:47.383574Z",
+            "name": "CVE-2025-22810",
+            "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CBB Team Content Blocks Builder allows Stored XSS.This issue affects Content Blocks Builder: from n/a through 2.7.6.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2025-22810"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--09813dcd-81af-4971-95f6-53bd0a324537.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--a07436c3-e47a-4191-a4ed-302254d6610e",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--09813dcd-81af-4971-95f6-53bd0a324537",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:37.808988Z",
+            "modified": "2025-01-10T00:21:37.808988Z",
+            "name": "CVE-2024-43660",
+            "description": "The CGI script <redacted>.sh can be used to download any file on the filesystem.\n\nThis issue affects Iocharger firmware for AC model chargers beforeversion 24120701.\n\nLikelihood: High, but credentials required.\n\nImpact: Critical – The script can be used to download any file on the filesystem, including sensitive files such as /etc/shadow, the CGI script source code or binaries and configuration files.\n\nCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y\nCVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The confidentiality of all files of the devicd can be compromised (VC:H/VI:N/VA:N).  There is no impact on subsequent systems. (SC:N/SI:N/SA:N). While this device is an EV charger handing significant amounts of power, this attack in isolation does not have a safety impact. The attack can be automated (AU:Y).",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-43660"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--09ce838c-7ad1-4726-85f5-bad9b58b81e4.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--e3f60621-aba5-4ab7-aa35-33f40046f499",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--09ce838c-7ad1-4726-85f5-bad9b58b81e4",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:35.167571Z",
+            "modified": "2025-01-10T00:21:35.167571Z",
+            "name": "CVE-2024-12222",
+            "description": "The Deliver via Shipos for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dvsfw_bulk_label_url’ parameter in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-12222"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--0b31884d-8c28-4d1e-9612-61bd0099110f.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--7d64bfe1-90ff-491c-86ce-d96609f17a09",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0b31884d-8c28-4d1e-9612-61bd0099110f",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:37.411232Z",
+            "modified": "2025-01-10T00:21:37.411232Z",
+            "name": "CVE-2024-13287",
+            "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Views SVG Animation allows Cross-Site Scripting (XSS).This issue affects Views SVG Animation: from 0.0.0 before 1.0.1.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-13287"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--0c642311-932e-4dfe-ae5b-95259cc15a69.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--49770aea-0efb-457c-b04f-ec7a2f84c8d3",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0c642311-932e-4dfe-ae5b-95259cc15a69",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:36.945056Z",
+            "modified": "2025-01-10T00:21:36.945056Z",
+            "name": "CVE-2024-56377",
+            "description": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-56377"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--0cbfa079-7bdf-49f6-a432-0488c9f3b687.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--0ecff174-8b90-485d-beca-ebcc382767ba",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0cbfa079-7bdf-49f6-a432-0488c9f3b687",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:37.393518Z",
+            "modified": "2025-01-10T00:21:37.393518Z",
+            "name": "CVE-2024-13303",
+            "description": "Missing Authorization vulnerability in Drupal Download All Files allows Forceful Browsing.This issue affects Download All Files: from 0.0.0 before 2.0.2.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-13303"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--0ec6776a-b2a5-4cba-a597-1ff9343f1c5f.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--79b93f25-7d1c-4f01-87d8-74a074acef2f",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0ec6776a-b2a5-4cba-a597-1ff9343f1c5f",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:47.368464Z",
+            "modified": "2025-01-10T00:21:47.368464Z",
+            "name": "CVE-2025-22594",
+            "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hccoder – Sándor Fodor Better User Shortcodes allows Reflected XSS.This issue affects Better User Shortcodes: from n/a through 1.0.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2025-22594"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--0f22fb4e-e1be-4dda-a40f-02f76843b598.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--b24c4008-283c-41a8-818c-e7efb69165ea",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0f22fb4e-e1be-4dda-a40f-02f76843b598",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-01-10T00:21:46.919923Z",
+            "modified": "2025-01-10T00:21:46.919923Z",
+            "name": "CVE-2023-28354",
+            "description": "An issue was discovered in Opsview Monitor Agent 6.8. An unauthenticated remote attacker can call check_nrpe against affected targets, specifying known NRPE plugins, which in default installations are configured to accept command control characters and pass them to command-line interpreters for NRPE plugin execution. This allows the attacker to escape NRPE plugin execution and execute commands remotely on the target as NT_AUTHORITY\\SYSTEM.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2023-28354"
+                }
+            ]
+        }
+    ]
+}