6.5
CVE-2023-1125
- EPSS 0.56%
- Veröffentlicht 02.05.2023 08:15:09
- Zuletzt bearbeitet 30.01.2025 15:15:12
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginRuby Help Desk < 1.3.4 - Subscriber+ Ticket Update via IDOR
Ruby Help Desk <= 1.3.3 - Missing Authorization to Arbitrary Ticket Modification
The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own.
Mögliche Gegenmaßnahme
Ruby Help Desk: Update to version 1.3.4, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wpruby ≫ Ruby Help Desk SwPlatformwordpress Version < 1.3.4
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Ruby Help Desk
Version
*-1.3.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.56% | 0.42 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://wpscan.com/vulnerability/e8a4b6ab-47f8-495d-a22c-dcf914dfb58c
https://www.wordfence.com/threat-intel/vulnerabilities/id/fd741e2d-5478-4b9a-83ab-7ccafdc5d12f