CVE-2021-24806

{"id": "CVE-2021-24806", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-11-08T18:15:10.023", "references": [{"url": "https://wpscan.com/vulnerability/2746101e-e993-42b9-bd6f-dfd5544fa3fe", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/2746101e-e993-42b9-bd6f-dfd5544fa3fe", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment."}, {"lang": "es", "value": "El plugin wpDiscuz de WordPress versiones anteriores a 7.3.4, no comprueba la existencia de CSRF cuando se a\u00f1aden, editan y eliminan comentarios, lo que podr\u00eda permitir a un atacante hacer que usuarios registrados, como el administrador, editen y eliminen un comentario arbitrario, o que el usuario que hizo el comentario lo edite por medio de un ataque CSRF. Los atacantes tambi\u00e9n podr\u00edan hacer que usuarios que han iniciado sesi\u00f3n publiquen comentarios arbitrarios"}], "lastModified": "2024-11-21T05:53:48.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "D7A877BC-CB0A-44C2-A9ED-48039684BC9B", "versionEndExcluding": "7.3.4"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}