4.8
CVE-2021-24623
- EPSS 0.6%
- Veröffentlicht 13.09.2021 18:15:17
- Zuletzt bearbeitet 21.11.2024 05:53:26
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWordPress Advanced Ticket System < 1.0.64 - Authenticated Stored Cross-Site Scripting (XSS)
WordPress Advanced Ticket System, Elite Support Helpdesk <= 1.0.63 - Authenticated (Admin+) Stored Cross-Site Scripting
The WordPress Advanced Ticket System, Elite Support Helpdesk WordPress plugin before 1.0.64 does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Mögliche Gegenmaßnahme
WP Advanced Ticket System, Elite Support Helpdesk: Update to version 1.0.64, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ticket-system ≫ Wordpress Advanced Ticket System SwPlatformwordpress Version < 1.0.64
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP Advanced Ticket System, Elite Support Helpdesk
Version
[*, 1.0.64)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.6% | 0.439 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/41d9027c-a982-44c7-889e-721333496b5c
https://www.wordfence.com/threat-intel/vulnerabilities/id/e9ae8fa3-206c-496d-9902-c6468964b717