5.3
CVE-2020-24141
- EPSS 0.93%
- Veröffentlicht 07.07.2021 14:15:09
- Zuletzt bearbeitet 21.11.2024 05:14:25
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginWP-DownloadManager <= 1.68.4 - Server-Side Request Forgery
Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network hosts and execute command on services
Mögliche Gegenmaßnahme
WP-DownloadManager: Update to version 1.68.5, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wp-downloadmanager Project ≫ Wp-downloadmanager Version1.68.4 SwPlatformwordpress
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP-DownloadManager
Version
[*, 1.68.5)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.93% | 0.56 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/secwx/research/blob/main/cve/CVE-2020-24141.md
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfe48948-7fc9-4806-b1b5-9fac5a6c7d96