CVE-2021-24133

🗓️ 18 Mar 2021 14:57:49Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 44 Views🌐 WEB

Lack of CSRF checks in ActiveCampaign WP plugin v8.0.2 allows admin to change API Credentials to attacker's accoun

Reporter	Title	Published	Views	Family All 10
CNNVD	Wordpress ActiveCampaign 跨站请求伪造漏洞	18 Mar 202100:00	–	cnnvd
CNVD	Wordpress ActiveCampaign Cross-Site Request Forgery Vulnerability	19 Mar 202100:00	–	cnvd
Cvelist	CVE-2021-24133 ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings	18 Mar 202114:57	–	cvelist
EUVD	EUVD-2021-11047	7 Oct 202500:30	–	euvd
NVD	CVE-2021-24133	18 Mar 202115:15	–	nvd
OSV	CVE-2021-24133	18 Mar 202115:15	–	osv
Prion	Cross site request forgery (csrf)	18 Mar 202115:15	–	prion
RedhatCVE	CVE-2021-24133	22 May 202519:20	–	redhatcve
wpexploit	ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings	6 Sep 202000:00	–	wpexploit
WPVulnDB	ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings	6 Sep 202000:00	–	wpvulndb

NVD

Vulners

Node

activecampaign activecampaignRange<8.0.2wordpress

[
  {
    "product": "ActiveCampaign",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "8.0.2",
        "status": "affected",
        "version": "8.0.2",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/a72a5be4-654b-496f-94cd-3814c0e40120

Parameter	Position	Path	Description	CWE
api_url	request body	wp-admin/options-general.php?page=activecampaign	CSRF vulnerability enabling an authenticated admin to change API credentials via a POST to the Settings page.	CWE-352
api_key	request body	wp-admin/options-general.php?page=activecampaign	CSRF vulnerability enabling an authenticated admin to change API credentials via a POST to the Settings page.	CWE-352

21 Nov 2024 05:52Current

4.5Medium risk

Vulners AI Score4.5

CVSS 3.14.3

CVSS 24.3

EPSS0.00103

CWE-352