7.2
CVE-2021-24145
- EPSS 88.16%
- Veröffentlicht 18.03.2021 15:15:15
- Zuletzt bearbeitet 21.11.2024 05:52:27
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginModern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
Modern Events Calendar Lite <= 5.16.4 - Authenticated Arbitrary File Upload leading to Remote Code Execution
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
Mögliche Gegenmaßnahme
Modern Events Calendar Lite: Update to version 5.16.5, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webnus ≫ Modern Events Calendar Lite SwPlatformwordpress Version < 5.16.5
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Modern Events Calendar Lite
Version
*-5.16.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 88.16% | 0.997 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html
http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e67e3e-188c-4ca9-b846-d318859aeaf8