7.5
CVE-2022-0656
- EPSS 7.74%
- Veröffentlicht 25.04.2022 16:16:07
- Zuletzt bearbeitet 21.11.2024 06:39:07
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginuDraw < 3.3.3 - Unauthenticated Arbitrary File Access
Web To Print Shop : uDraw <= 3.3.3 - Unauthenticated Arbitrary File Access
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
Mögliche Gegenmaßnahme
Web To Print Shop : uDraw: Update to version 3.4.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webtoprint ≫ Web To Print Shop:udraw SwPlatformwordpress Version < 3.3.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Web To Print Shop : uDraw
Version
*-3.3.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 7.74% | 0.939 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-552 Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.
https://wpscan.com/vulnerability/925c4c28-ae94-4684-a365-5f1e34e6c151
https://www.wordfence.com/threat-intel/vulnerabilities/id/5629d479-143d-4a03-ac64-cb304954a5ca