CVE-2022-2240

2022-07-2513:15:08

CWE-1236

[email protected]

web.nvd.nist.gov

cve-2022-2240

request a quote

wordpress plugin

csv files

unauthenticated users

csv injection

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.4%

JSON

The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it

Affected configurations

Vulners

NVD

Node

emarketdesignrequest_a_quoteRange≤2.3.7

VendorProductVersionCPE
emarketdesignrequest_a_quote*cpe:2.3:a:emarketdesign:request_a_quote:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
emarketdesign	request_a_quote	*	cpe:2.3:a:emarketdesign:request_a_quote::::::::

CNA Affected

[
  {
    "product": "Request a Quote",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "2.3.7",
        "status": "affected",
        "version": "2.3.7",
        "versionType": "custom"
      }
    ]
  }
]