CVE-2022-2839
Summary
| CVE | CVE-2022-2839 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-10-03 14:15:00 UTC |
| Updated | 2022-10-04 20:34:00 UTC |
| Description | The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. |
Risk And Classification
Problem Types: CWE-352 | CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zephyr-one | Zephyr Project Manager | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS WordPress Security Vulnerability | MISC | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Rizacan Tufan
There are currently no legacy QID mappings associated with this CVE.