Lucene search

PatchstackCVE-2024-37437

HistoryJul 09, 2024 - 11:15 a.m.

CVE-2024-37437

2024-07-0911:15:14

CWE-22

CWE-79

Patchstack

web.nvd.nist.gov

cve-2024-37437

path traversal

cross-site scripting

elementor website builder

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

17.0%

JSON

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Elementor Elementor Website Builder allows Cross-Site Scripting (XSS), Stored XSS.This issue affects Elementor Website Builder: from n/a through 3.22.1.

Affected configurations

Nvd

Vulners

Node

elementorwebsite_builderRange<3.22.2wordpress

VendorProductVersionCPE
elementorwebsite_builder*cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
elementor	website_builder	*	cpe:2.3:a:elementor:website_builder::::::wordpress::*

CNA Affected

[
  {
    "collectionURL": "https://wordpress.org/plugins",
    "defaultStatus": "unaffected",
    "packageName": "elementor",
    "product": "Elementor Website Builder",
    "vendor": "Elementor",
    "versions": [
      {
        "changes": [
          {
            "at": "3.22.2",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.22.1",
        "status": "affected",
        "version": "n/a",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/elementor/wordpress-elementor-website-builder-more-than-just-a-page-builder-plugin-3-22-1-arbitrary-file-download-vulnerability?_s_id=cve