Lucene search

[email protected]CVE-2022-2846

HistoryAug 16, 2022 - 7:15 p.m.

CVE-2022-2846

2022-08-1619:15:09

CWE-352

CWE-862

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-2846

calendar event multi view

wordpress plugin

authorization

csrf

sanitization

escaping

unauthenticated attackers

cross-site scripting

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.5%

JSON

The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.

Affected configurations

Vulners

NVD

Node

unknowncalendar_event_multi_viewRange1.4.07–1.4.07

CPENameOperatorVersion
dwbooster:calendar_event_multi_viewdwbooster calendar event multi viewlt1.4.07

CPE	Name	Operator	Version
dwbooster:calendar_event_multi_view	dwbooster calendar event multi view	lt	1.4.07

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Calendar Event Multi View",
    "versions": [
      {
        "version": "1.4.07",
        "status": "affected",
        "lessThan": "1.4.07",
        "versionType": "custom"
      }
    ]
  }
]