CVE-2024-0237

2024-01-1616:15:14

CWE-862

[email protected]

web.nvd.nist.gov

eventon

wordpress

cve-2024-0237

security vulnerability

unauthenticated access

ajax actions

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

20.7%

JSON

The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc

Affected configurations

Vulners

NVD

Node

myeventoneventonRange<4.5.8

myeventoneventonRange<2.2.7

VendorProductVersionCPE
myeventoneventon*cpe:2.3:a:myeventon:eventon:*:*:*:*:*:*:*:*
myeventoneventon*cpe:2.3:a:myeventon:eventon:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
myeventon	eventon	*	cpe:2.3:a:myeventon:eventon::::::::
myeventon	eventon	*	cpe:2.3:a:myeventon:eventon::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "EventON Premium",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "4.5.8"
      }
    ],
    "defaultStatus": "affected"
  },
  {
    "vendor": "Unknown",
    "product": "EventON",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.2.7"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]