6.8

CVE-2015-6828

Exploit

SecureMoz Security Audit <= 1.0.5 - PHP Object Injection

The tweet_info function in class/__functions.php in the SecureMoz Security Audit plugin 1.0.5 and earlier for WordPress does not use an HTTPS session for downloading serialized data, which allows man-in-the-middle attackers to conduct PHP object injection attacks and execute arbitrary PHP code by modifying the client-server data stream.  NOTE: some of these details are obtained from third party information.
Mögliche Gegenmaßnahme
SecureMoz Security Audit: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt SecureMoz Security Audit
Version *-1.0.5
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SecuremozSecurity Audit SwPlatformwordpress Version <= 1.0.5
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.58% 0.684
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.openwall.com/lists/oss-security/2015/09/05/4
Third Party Advisory
Exploit
Mailing List
http://www.openwall.com/lists/oss-security/2015/09/06/3
Third Party Advisory
Exploit
Mailing List