CVE-2024-12042

EPSS 0.17%
Veröffentlicht 13.12.2024 09:15:07
Zuletzt bearbeitet 22.05.2025 14:33:24
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.16.4 - Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting)

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.

Mögliche Gegenmaßnahme

MStore API – Create Native Android & iOS Apps On The Cloud: Update to version 4.16.5, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt MStore API – Create Native Android & iOS Apps On The Cloud

Version *-4.16.4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Inspireui ≫ Mstore Api SwPlatformwordpress Version < 4.16.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.385

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://plugins.trac.wordpress.org/browser/mstore-api/trunk/functions/index.php#790

Product

https://plugins.trac.wordpress.org/changeset/3205338/mstore-api/trunk/functions/index.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/af468138-c10a-4f9b-b714-0425d52f0210?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/af468138-c10a-4f9b-b714-0425d52f0210

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-12042

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12042

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12042

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-12042