8.8

CVE-2022-1777

Exploit

EPSS 0.64%
Veröffentlicht 13.06.2022 13:15:12
Zuletzt bearbeitet 21.11.2024 06:41:26
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Filr – Secure document library <= 1.2.2 - Missing Authorization

The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as delete all files or arbitrary ones.

Mögliche Gegenmaßnahme

Filr – Secure document library: Update to version 1.2.2.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Filr – Secure document library

Version [*, 1.2.2.1)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Filr Project ≫ Filr SwPlatformwordpress Version < 1.2.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.64%	0.697

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://wpscan.com/vulnerability/a50dc7f8-a9e6-41fa-a047-ad1c3bc309b4

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/02d4bc64-d05d-4151-bc38-523cbb2ef60c

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-1777

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1777

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1777

EUVD