CVE-2022-1194

2022-09-1609:15:10

CWE-1236

[email protected]

web.nvd.nist.gov

mobile events manager

wordpress plugin

cve-2022-1194

csv injection

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.4%

JSON

The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.

Affected configurations

Vulners

NVD

Node

netweblogicevents_managerRange<1.4.8

VendorProductVersionCPE
netweblogicevents_manager*cpe:2.3:a:netweblogic:events_manager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
netweblogic	events_manager	*	cpe:2.3:a:netweblogic:events_manager::::::::

CNA Affected

[
  {
    "product": "Mobile Events Manager",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.4.8",
        "status": "affected",
        "version": "1.4.8",
        "versionType": "custom"
      }
    ]
  }
]