6.1
CVE-2017-17780
- EPSS 0.28%
- Veröffentlicht 20.12.2017 03:29:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginClockwork SMS Plugins - Multiple Versions - Cross-Site Scripting
The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5.
Mögliche Gegenmaßnahme
Booking Calendar – Clockwork SMS: Update to version 1.1.1, or a newer patched version
Two-Factor Authentication – Clockwork SMS: Update to version 1.1.1, or a newer patched version
Contact Form 7 – Clockwork SMS: Update to version 2.4.1, or a newer patched version
Formidable – Clockwork SMS: Update to version 1.1.1, or a newer patched version
Fast Secure Contact Form – Clockwork SMS: Update to version 2.4.1, or a newer patched version
Gravity Forms – Clockwork SMS: Update to version 2.4.1, or a newer patched version
WP e-Commerce – Clockwork SMS: Update to version 2.4.1, or a newer patched version
Clockwork SMS Notfications: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Booking Calendar – Clockwork SMS
Version
*-1.0.5
SystemWordPress Plugin
≫
Produkt
Two-Factor Authentication – Clockwork SMS
Version
*-1.0.2
SystemWordPress Plugin
≫
Produkt
Contact Form 7 – Clockwork SMS
Version
*-2.3.0
SystemWordPress Plugin
≫
Produkt
Formidable – Clockwork SMS
Version
*-1.0.2
SystemWordPress Plugin
≫
Produkt
Fast Secure Contact Form – Clockwork SMS
Version
*-2.1.2
SystemWordPress Plugin
≫
Produkt
Gravity Forms – Clockwork SMS
Version
*-2.2
SystemWordPress Plugin
≫
Produkt
WP e-Commerce – Clockwork SMS
Version
*-2.0.5
SystemWordPress Plugin
≫
Produkt
Clockwork SMS Notfications
Version
*-2.0.3
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mediaburst ≫ Booking Calendar Sms Version1.0.5 SwPlatformwordpress
Mediaburst ≫ Clockwork Sms Notfications Version2.0.3 SwPlatformwordpress
Mediaburst ≫ Contact Form 7 Sms Version2.3.0 SwPlatformwordpress
Mediaburst ≫ Fast Secure Contact Form Sms Version2.1.2 SwPlatformwordpress
Mediaburst ≫ Formidable Version1.0.2 SwPlatformwordpress
Mediaburst ≫ Gravity Forms Version2.2 SwPlatformwordpress
Mediaburst ≫ Two-factor Authentication Version1.0.2 SwPlatformwordpress
Mediaburst ≫ Wp E-commerce Version2.0.5 SwPlatformwordpress
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.485 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.