exploitDog

CVE-2020-35934

Опубликовано: 01 янв. 2021

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not supposed to have (e.g., custom metadata added by a different plugin).

Ссылки

https://www.wordfence.com/blog/2020/08/high-severity-vulnerability-patched-in-advanced-access-manager/
Exploit
Third Party Advisory
https://www.wordfence.com/blog/2020/08/high-severity-vulnerability-patched-in-advanced-access-manager/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vasyltech:advanced_access_manager:*:*:*:*:*:wordpress:*:*

Версия до 6.6.2 (исключая)

EPSS

Процентиль: 55%

0.00328

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200

Связанные уязвимости

GHSA-7q52-2r47-35qw

CVSS3: 4.3

github

больше 3 лет назад

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not supposed to have (e.g., custom metadata added by a different plugin).

EPSS

Процентиль: 55%

0.00328

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200