CVE-2022-3119

2022-09-2613:15:11

CWE-352

CWE-287

[email protected]

web.nvd.nist.gov

1735

nvd

cve-2022-3119

wordpress

plugin

oauth

single sign on

authorization

csrf

unauthenticated

attack

admin

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

39.9%

JSON

The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address

Affected configurations

Vulners

NVD

Node

miniorangeoauth_2.0_client_for_ssoRange<3.0.4

VendorProductVersionCPE
miniorangeoauth_2\.0_client_for_sso*cpe:2.3:a:miniorange:oauth_2\.0_client_for_sso:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
miniorange	oauth_2\.0_client_for_sso	*	cpe:2.3:a:miniorange:oauth_2\.0_client_for_sso::::::::

CNA Affected

[
  {
    "product": "OAuth client Single Sign On for WordPress ( OAuth 2.0 SSO )",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "3.0.4",
        "status": "affected",
        "version": "3.0.4",
        "versionType": "custom"
      }
    ]
  }
]