Lucene search

PatchstackCVE-2024-43353

HistoryAug 18, 2024 - 1:15 p.m.

CVE-2024-43353

2024-08-1813:15:03

CWE-79

Patchstack

web.nvd.nist.gov

cve-2024-43353

mycred

stored xss

web page generation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

EPSS

Percentile

9.5%

JSON

Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in myCred allows Stored XSS.This issue affects myCred: from n/a through 2.7.2.

Affected configurations

Vulners

Node

mycredmycredRange≤2.7.2wordpress

VendorProductVersionCPE
mycredmycred*cpe:2.3:a:mycred:mycred:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
mycred	mycred	*	cpe:2.3:a:mycred:mycred::::::wordpress::*

CNA Affected

[
  {
    "collectionURL": "https://wordpress.org/plugins",
    "defaultStatus": "unaffected",
    "packageName": "mycred",
    "product": "myCred",
    "vendor": "myCred",
    "versions": [
      {
        "changes": [
          {
            "at": "2.7.3",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "2.7.2",
        "status": "affected",
        "version": "n/a",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/mycred/wordpress-mycred-plugin-2-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve