6.1
CVE-2019-19134
- EPSS 17.25%
- Veröffentlicht 26.02.2020 15:15:11
- Zuletzt bearbeitet 21.11.2024 04:34:14
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginHero Maps Premium <= 2.2.2 - Reflected Cross-Site Scripting
The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.
Mögliche Gegenmaßnahme
Hero Maps Premium: Update to version 2.2.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Hero Maps Premium
Version
*-2.2.2
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Heroplugins ≫ Hero Maps Premium SwPlatformwordpress Version < 2.2.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 17.25% | 0.949 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.