Lucene search

[email protected]CVE-2022-1119

HistoryApr 19, 2022 - 9:15 p.m.

CVE-2022-1119

2022-04-1921:15:13

CWE-22

[email protected]

web.nvd.nist.gov

In Wild

simple file list

wordpress plugin

vulnerability

arbitrary file download

cve-2022-1119

nvd

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.379 Low

EPSS

Percentile

97.2%

JSON

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.

Affected configurations

Vulners

NVD

Node

eemitchsimple_file_listRange≤3.2.7

CPENameOperatorVersion
simplefilelist:simple-file-listsimplefilelist simple-file-listlt3.2.8

CPE	Name	Operator	Version
simplefilelist:simple-file-list	simplefilelist simple-file-list	lt	3.2.8

CNA Affected

[
  {
    "vendor": "eemitch",
    "product": "Simple File List",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.2.7",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]