Lucene search

[email protected]CVE-2021-24145

HistoryMar 18, 2021 - 3:15 p.m.

CVE-2021-24145

2021-03-1815:15:15

CWE-434

[email protected]

web.nvd.nist.gov

166

cve-2021-24145

arbitrary file upload

modern events calendar lite

wordpress plugin

security vulnerability

nvd

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.963 High

EPSS

Percentile

99.6%

JSON

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the ‘text/csv’ content-type in the request.

Affected configurations

Vulners

NVD

Node

webnusmodern_events_calendar_liteRange<5.16.5

VendorProductVersionCPE
webnusmodern_events_calendar_lite*cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
webnus	modern_events_calendar_lite	*	cpe:2.3:a:webnus:modern_events_calendar_lite::::::::

CNA Affected

[
  {
    "product": "Modern Events Calendar Lite",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "5.16.5",
        "status": "affected",
        "version": "5.16.5",
        "versionType": "custom"
      }
    ]
  }
]