10
CVE-2020-35949
- EPSS 4.93%
- Veröffentlicht 01.01.2021 04:15:13
- Zuletzt bearbeitet 21.11.2024 05:28:35
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginQuiz and Survey Master <= 7.0.0 - Arbitrary File Upload
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file.
Mögliche Gegenmaßnahme
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker: Update to version 7.0.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Expresstech ≫ Quiz And Survey Master SwPlatformwordpress Version < 7.0.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Version
[*, 7.0.1)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.93% | 0.91 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| cve@mitre.org | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
https://wpscan.com/vulnerability/10349
https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfd93c33-4672-4914-b052-7bea283ef60c