Lucene search

[email protected]CVE-2015-6828

HistorySep 16, 2015 - 2:59 p.m.

CVE-2015-6828

2015-09-1614:59:04

CWE-20

[email protected]

web.nvd.nist.gov

wordpress

security audit

plugin

cve-2015-6828

php

object injection

https

man-in-the-middle

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

62.1%

JSON

The tweet_info function in class/__functions.php in the SecureMoz Security Audit plugin 1.0.5 and earlier for WordPress does not use an HTTPS session for downloading serialized data, which allows man-in-the-middle attackers to conduct PHP object injection attacks and execute arbitrary PHP code by modifying the client-server data stream. NOTE: some of these details are obtained from third party information.

Affected configurations

NVD

Node

securemozsecurity_auditRange≤1.0.5wordpress

CPENameOperatorVersion
securemoz:security_auditsecuremoz security auditle1.0.5

CPE	Name	Operator	Version
securemoz:security_audit	securemoz security audit	le	1.0.5

References

www.openwall.com/lists/oss-security/2015/09/05/4

www.openwall.com/lists/oss-security/2015/09/06/3

wpvulndb.com/vulnerabilities/8179

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

62.1%

JSON

Related for CVE-2015-6828

wpvulndb1 prion1 nvd1 patchstack1 cvelist1