7.2
CVE-2021-24145
- EPSS 92.55%
- Veröffentlicht 18.03.2021 15:15:15
- Zuletzt bearbeitet 21.11.2024 05:52:27
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginModern Events Calendar Lite <= 5.16.4 - Authenticated Arbitrary File Upload leading to Remote Code Execution
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
Mögliche Gegenmaßnahme
Modern Events Calendar Lite: Update to version 5.16.5, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Modern Events Calendar Lite
Version
* - 5.16.4
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webnus ≫ Modern Events Calendar Lite SwPlatformwordpress Version < 5.16.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 92.55% | 0.997 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.