9.8
CVE-2019-15896
- EPSS 3.72%
- Veröffentlicht 10.09.2019 16:15:12
- Zuletzt bearbeitet 21.11.2024 04:29:41
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginLMS by LifterLMS <= 3.35.0 - Stored Cross-Site Scripting via Import
An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.
Mögliche Gegenmaßnahme
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes: Update to version 3.35.0, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Version
[*, 3.35.0)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.72% | 0.875 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.