CVE-2021-24800

Exploit

EPSS 0.15%
Veröffentlicht 25.04.2022 16:16:06
Zuletzt bearbeitet 21.11.2024 05:53:47
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

DW Question & Answer Pro <= 1.3.6 - Missing Authorization Checks

The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments.

Mögliche Gegenmaßnahme

DW Question Answer Pro: Update to version 1.3.7, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt DW Question Answer Pro

Version *-1.3.6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Designwall ≫ Dw Question & Answer SwEditionpro SwPlatformwordpress Version <= 1.3.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.366

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://wpscan.com/vulnerability/cd37ca81-d683-4955-bc97-60204cb9c346

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/c58fa0a0-0b22-42df-8d3a-c3de78e12aa7

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-24800

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-24800

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-24800

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-24800