CVE-2020-7947

{"id": "CVE-2020-7947", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-04-01T13:15:15.320", "references": [{"url": "https://auth0.com/docs/cms/wordpress", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://wordpress.org/plugins/auth0/#developers", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://auth0.com/docs/cms/wordpress", "tags": ["Product", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://wordpress.org/plugins/auth0/#developers", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1236"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded."}, {"lang": "es", "value": "Se detect\u00f3 un problema en el plugin Login by Auth0 versiones anteriores a 4.0.0 para WordPress. Presenta numerosos campos que pueden contener datos que son extra\u00eddos de diferentes fuentes. Un problema con esto es que los datos no son saneados y no se realiza ninguna comprobaci\u00f3n de entrada, antes de la exportaci\u00f3n de los datos del usuario. Esto puede conllevar a (al menos) una inyecci\u00f3n de CSV si un documento Excel dise\u00f1ado es cargado."}], "lastModified": "2024-11-21T05:38:03.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:auth0:login_by_auth0:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "AEF5427B-E416-4F67-8D3D-FE113B53E030", "versionEndExcluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}