9.8
CVE-2020-7947
- EPSS 2.84%
- Veröffentlicht 01.04.2020 13:15:15
- Zuletzt bearbeitet 21.11.2024 05:38:03
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginLogin by Auth0 <= 3.11.3 - CSV Injection
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.
Mögliche Gegenmaßnahme
Login by Auth0: Update to version 4.0.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Auth0 ≫ Login By Auth0 SwPlatformwordpress Version < 4.0.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Login by Auth0
Version
*-3.11.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.84% | 0.848 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0
https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v
https://auth0.com/docs/cms/wordpress
https://wordpress.org/plugins/auth0/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/30532dc1-5d40-4585-abd2-c08ed0682d72