9.8
CVE-2022-1386
- EPSS 93.61%
- Veröffentlicht 16.05.2022 15:15:09
- Zuletzt bearbeitet 21.11.2024 06:40:37
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginFusion Builder <= 3.6.1 & Avada <= 7.6.1 - Unauthenticated Server-Side Request Forgery
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
Mögliche Gegenmaßnahme
Avada (Fusion) Builder: Update to version 3.6.2, or a newer patched version
Avada | Website Builder For WordPress & WooCommerce: Update to version 7.6.2, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Avada (Fusion) Builder
Version
[*, 3.6.2)
SystemWordPress Theme
≫
Produkt
Avada | Website Builder For WordPress & WooCommerce
Version
[*, 7.6.2)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fusion Builder Project ≫ Fusion Builder SwPlatformwordpress Version < 3.6.2
Theme-fusion ≫ Avada SwPlatformwordpress Version < 7.6.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.61% | 0.998 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.