CVE-2022-2939

EPSS 0.41%
Veröffentlicht 06.09.2022 18:15:15
Zuletzt bearbeitet 21.11.2024 07:01:57
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

WP Cerber Security <= 9.0 - User Enumeration Bypass

The WP Cerber Security plugin for WordPress is vulnerable to security protection bypass in versions up to, and including 9.0, that makes user enumeration possible. This is due to improper validation on the value supplied through the 'author' parameter found in the ~/cerber-load.php file. In vulnerable versions, the plugin only blocks requests if the value supplied is numeric, making it possible for attackers to supply additional non-numeric characters to bypass the protection. The non-numeric characters are stripped and the user requested is displayed. This can be used by unauthenticated attackers to gather information about users that can targeted in further attacks.

Mögliche Gegenmaßnahme

WP Cerber Security, Anti-spam & Malware Scan: Update to version 9.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WP Cerber Security, Anti-spam & Malware Scan

Version *-9.0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cerber ≫ Wp Cerber Security, Anti-spam & Malware Scan SwPlatformwordpress Version <= 9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.41%	0.609

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://plugins.trac.wordpress.org/changeset/2772930/wp-cerber/trunk/cerber-load.php

Patch

Third Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2939

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/081a5fda-abe2-4f20-bea2-3f7dd3c3a6cf

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-2939

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-2939

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-2939

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-2939