Lucene search

MitreCVE-2024-36679

HistoryJun 19, 2024 - 9:15 p.m.

CVE-2024-36679

2024-06-1921:15:57

CWE-94

mitre

web.nvd.nist.gov

module live chat pro

all in one messaging

php code injection

predictable token

savetranslations

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.6

Confidence

Low

EPSS

Percentile

9.0%

JSON

In the module “Module Live Chat Pro (All in One Messaging)” (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method Lcp::saveTranslations() suffer of a white writer that can inject PHP code into a PHP file.

References

security.friendsofpresta.org/modules/2024/06/18/livechatpro.html

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.6

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-36679