9
CVE-2021-24307
- EPSS 56.5%
- Veröffentlicht 24.05.2021 11:15:08
- Zuletzt bearbeitet 21.11.2024 05:52:48
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginAll in One SEO <= 4.1.0.1 - Authenticated Code Injection
The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.
Mögliche Gegenmaßnahme
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic: Update to version 4.1.0.2, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Version
[*, 4.1.0.2)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Aioseo ≫ All In One Seo SwPlatformwordpress Version < 4.1.0.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 56.5% | 0.98 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.