exploitDog

CVE-2022-2080

Опубликовано: 29 авг. 2022

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student

Ссылки

https://hackerone.com/reports/1592596
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/5395d196-a39a-4a58-913e-5b5b9d6123a5
Third Party Advisory
https://hackerone.com/reports/1592596
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/5395d196-a39a-4a58-913e-5b5b9d6123a5
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:automattic:sensei_lms:*:*:*:*:*:wordpress:*:*

Версия до 4.5.2 (исключая)

EPSS

Процентиль: 58%

0.00361

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-639

Связанные уязвимости

GHSA-35xw-38xf-5f44

CVSS3: 4.3

github

больше 3 лет назад

The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student

EPSS

Процентиль: 58%

0.00361

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-639