9.8
CVE-2021-24472
- EPSS 89.82%
- Veröffentlicht 02.08.2021 11:15:10
- Zuletzt bearbeitet 21.11.2024 05:53:08
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginQT KenthaRadio < 2.0.2 & OnAir2 < 3.9.9.2 - Server-Side Request Forgery & Remote File Inclusion
The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.
Mögliche Gegenmaßnahme
KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality: Update to version 2.0.2, or a newer patched version
Onair2: Radio Station WordPress Theme With Non-Stop Music Player: Update to version 3.9.9.2, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality
Version
[*, 2.0.2)
SystemWordPress Theme
≫
Produkt
Onair2: Radio Station WordPress Theme With Non-Stop Music Player
Version
[*, 3.9.9.2)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Qantumthemes ≫ Kentharadio SwPlatformwordpress Version < 2.0.2
Qantumthemes ≫ Onair2 SwPlatformwordpress Version < 3.9.9.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 89.82% | 0.995 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.