CVE-2023-47757

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in AWeber AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth allows Accessing Functionality Not Properly Constrained by ACLs, Cross-Site Request Forgery.This issue affects AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth: from n/a through 7.3.9.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://patchstack.com/database/vulnerability/aweber-web-form-widget/wordpress-aweber-plugin-7-3-9-broken-access-control-vulnerability?_s_id=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:aweber:aweber:*:*:*:*:*:wordpress:*:*

History

25 Nov 2023, 02:14

Type	Values Removed	Values Added
CPE		cpe:2.3:a:aweber:aweber::::::wordpress::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CWE		CWE-352
First Time		Aweber Aweber aweber
References	~~() https://patchstack.com/database/vulnerability/aweber-web-form-widget/wordpress-aweber-plugin-7-3-9-broken-access-control-vulnerability?_s_id=cve -~~	() https://patchstack.com/database/vulnerability/aweber-web-form-widget/wordpress-aweber-plugin-7-3-9-broken-access-control-vulnerability?_s_id=cve - Third Party Advisory

17 Nov 2023, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-17 09:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-47757

Mitre link : CVE-2023-47757

CVE.ORG link : CVE-2023-47757

JSON object : View

Products Affected

aweber

aweber

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-862

Missing Authorization

{"id": "CVE-2023-47757", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "audit@patchstack.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-11-17T09:15:23.590", "references": [{"url": "https://patchstack.com/database/vulnerability/aweber-web-form-widget/wordpress-aweber-plugin-7-3-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["Third Party Advisory"], "source": "audit@patchstack.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Secondary", "source": "audit@patchstack.com", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in AWeber AWeber \u2013 Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth allows Accessing Functionality Not Properly Constrained by ACLs, Cross-Site Request Forgery.This issue affects AWeber \u2013 Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth: from n/a through 7.3.9.\n\n"}, {"lang": "es", "value": "Autorizaci\u00f3n faltante, vulnerabilidad de Cross-Site Request Forgery (CSRF) en AWeber AWeber: Formulario de registro gratuito y complemento de creaci\u00f3n de p\u00e1ginas de destino para la generaci\u00f3n de clientes potenciales y el crecimiento de boletines informativos por correo electr\u00f3nico permite acceder a funciones no restringidas adecuadamente por ACL y Cross-Site Request Forgery. Este problema afecta AWeber: formulario de registro gratuito y complemento de creaci\u00f3n de p\u00e1ginas de destino para la generaci\u00f3n de clientes potenciales y el crecimiento de boletines informativos por correo electr\u00f3nico: desde n/a hasta 7.3.9."}], "lastModified": "2023-11-25T02:14:53.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aweber:aweber:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "4F644534-334D-4DEC-A0FF-AEF1AD813CAC", "versionEndExcluding": "7.3.10"}], "operator": "OR"}]}], "sourceIdentifier": "audit@patchstack.com"}