4.3

CVE-2023-2627

Exploit

KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Missing Authorization

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings
Mögliche Gegenmaßnahme
KiviCare – Clinic & Patient Management System (EHR): Update to version 3.2.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IqonicKivicare SwPlatformwordpress Version < 3.2.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt KiviCare – Clinic & Patient Management System (EHR)
Version *-3.2.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.157
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://wpscan.com/vulnerability/162d0029-2adc-4925-9985-1d5d672dbe75
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/88898997-6199-4b33-bd35-70a1a01812ec
Third Party Advisory