7.8
CVE-2020-9372
- EPSS 8.61%
- Veröffentlicht 04.03.2020 19:15:13
- Zuletzt bearbeitet 21.11.2024 05:40:30
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAppointment Booking Calendar <= 1.3.34 - CSV Injection
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Mögliche Gegenmaßnahme
Appointment Booking Calendar: Update to version 1.3.35, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Codepeople ≫ Appointment Booking Calendar SwPlatformwordpress Version < 1.3.35
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Appointment Booking Calendar
Version
[*, 1.3.35)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 8.61% | 0.944 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
https://wordpress.org/plugins/appointment-booking-calendar/#developers
http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html
https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
https://www.hotdreamweaver.com/support/view.php?id=815925
https://www.wordfence.com/threat-intel/vulnerabilities/id/25b26369-76e3-44f0-8275-03fc6fc9705c