6.1
CVE-2021-24234
- EPSS 1.17%
- Veröffentlicht 22.04.2021 21:15:09
- Zuletzt bearbeitet 21.11.2024 05:52:39
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginIvory Search < 4.6.1 - Reflected Cross Site Scripting (XSS)
Ivory Search <= 4.6 - Reflected Cross Site Scripting
The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack.
Mögliche Gegenmaßnahme
Ivory Search – WordPress Search Plugin: Update to version 4.6.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ivorysearch ≫ Ivory Search SwPlatformwordpress Version < 4.6.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Ivory Search – WordPress Search Plugin
Version
*-4.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.17% | 0.634 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/ecc620be-8e29-4860-9d32-86b5814a3835
https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-in-ivory-search-wp-plugin/
https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-ivory-search-plugin/
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9e3f310-5a5e-4ca8-806d-9a7aacfaf5ed