7.5

CVE-2022-0828

Exploit

EPSS 0.36%
Veröffentlicht 11.04.2022 15:15:08
Zuletzt bearbeitet 21.03.2025 16:07:09
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Download Manager <= 3.2.38 - Unauthenticated Brute Force of File Master Key

The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.

Mögliche Gegenmaßnahme

Download Manager: Update to version 3.2.39, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Download Manager

Version [*, 3.2.39)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

W3eden ≫ Download Manager SwPlatformwordpress Version < 3.2.34

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.573

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/feb056b0-5ea0-4257-8d58-0e29b3c304bd

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-0828

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-0828

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-0828

EUVD