CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-35242 – Composer vulnerable to command injection via malicious git/hg branch names
https://notcve.org/view.php?id=CVE-2024-35242
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. • https://github.com/KKkai0315/CVE-2024-35242 https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467 https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35241 – Composer vulnerable to command injection via malicious git branch name
https://notcve.org/view.php?id=CVE-2024-35241
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. Composer es un administrador de dependencias para PHP. • https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4 https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704 https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32957 – WordPress Page Builder: Live Composer plugin <= 1.5.38 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32957
Missing Authorization vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.38. Vulnerabilidad de autorización faltante en Live Composer Team Page Builder: Live Composer. Este problema afecta a Page Builder: Live Composer: desde n/a hasta 1.5.38. The Page Builder: Live Composer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the dslc_ajax_add_module() function in versions up to, and including, 1.5.38. This makes it possible for authenticated attackers, with author-level access and above, to add modules. • https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-38-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32560 – WordPress QR Code Composer plugin <= 2.0.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-32560
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sharabindu QR Code Composer allows Stored XSS.This issue affects QR Code Composer: from n/a through 2.0.3. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Sharabindu QR Code Composer permite almacenar XSS. Este problema afecta a QR Code Composer: desde n/a hasta 2.0.3. The QR Code Composer – Automatic QR code Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/qr-code-composer/wordpress-qr-code-composer-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31933 – WordPress Page Builder: Live Composer plugin <= 1.5.35 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31933
Cross-Site Request Forgery (CSRF) vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.35. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Live Composer Team Page Builder: Live Composer. Este problema afecta a Page Builder: Live Composer: desde n/a hasta 1.5.35. The Page Builder: Live Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.35. This is due to missing or incorrect nonce validation on several functions. • https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-35-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •