CVE-2024-0236

2024-01-1616:15:14

CWE-862

[email protected]

web.nvd.nist.gov

cve-2024-0236

eventon

wordpress plugin

authorization bypass

ajax action

security vulnerability

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

20.7%

JSON

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

Affected configurations

Vulners

NVD

Node

myeventoneventonRange<4.5.5

myeventoneventonRange<2.2.7

VendorProductVersionCPE
myeventoneventon*cpe:2.3:a:myeventon:eventon:*:*:*:*:*:*:*:*
myeventoneventon*cpe:2.3:a:myeventon:eventon:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
myeventon	eventon	*	cpe:2.3:a:myeventon:eventon::::::::
myeventon	eventon	*	cpe:2.3:a:myeventon:eventon::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "EventON",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "4.5.5"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Unknown",
    "product": "EventON",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.2.7"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]