5.4
CVE-2022-0642
- EPSS 0.29%
- Veröffentlicht 30.05.2022 09:15:08
- Zuletzt bearbeitet 21.11.2024 06:39:05
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginJivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF
JivoChat Live Chat – WP live chat plugin for WordPress <= 1.3.5.3 - Cross-Site Request Forgery to Cross-Site Scripting
The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.
Mögliche Gegenmaßnahme
JivoChat Live Chat – WP live chat plugin for WordPress: Update to version 1.3.5.4, or a newer patched version
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.206 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://wpscan.com/vulnerability/099cf9b4-0b3a-43c6-8ca9-7c2d50f86425
https://www.wordfence.com/threat-intel/vulnerabilities/id/034e77ef-fb3f-4e62-be1b-c56c454c5ba8