7.5
CVE-2022-0828
- EPSS 1.48%
- Veröffentlicht 11.04.2022 15:15:08
- Zuletzt bearbeitet 21.03.2025 16:07:09
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginDownload Manager < 3.2.39 - Unauthenticated brute force of files master key
Download Manager <= 3.2.38 - Unauthenticated Brute Force of File Master Key
The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.
Mögliche Gegenmaßnahme
Download Manager: Update to version 3.2.39, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
W3eden ≫ Download Manager SwPlatformwordpress Version < 3.2.34
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Download Manager
Version
[*, 3.2.39)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.48% | 0.706 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb
https://www.wordfence.com/threat-intel/vulnerabilities/id/feb056b0-5ea0-4257-8d58-0e29b3c304bd