Lucene search

[email protected]NVD:CVE-2023-0291

HistoryJun 09, 2023 - 6:15 a.m.

CVE-2023-0291

2023-06-0906:15:48

[email protected]

web.nvd.nist.gov

authorization bypass

missing capability check

ajax action

unauthenticated attackers

arbitrary media files

cve-2023-0291

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

61.3%

JSON

The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.

Affected configurations

Nvd

Node

expresstechquiz_and_survey_masterRange≤8.0.8wordpress

VendorProductVersionCPE
expresstechquiz_and_survey_master*cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
expresstech	quiz_and_survey_master	*	cpe:2.3:a:expresstech:quiz_and_survey_master::::::wordpress::*

References

packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt

plugins.trac.wordpress.org/changeset/2834471/quiz-master-next

wordpress.org/plugins/quiz-master-next/

www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

61.3%

JSON

Related for NVD:CVE-2023-0291

prion1 osv1 cvelist1 cve1 zdt2 packetstorm2 wordfence1