Lucene search

NCSC.chCVELIST:CVE-2023-28733

HistoryMar 30, 2023 - 11:27 a.m.

CVE-2023-28733 Stored XSS affecting the AcyMailing plugin for Joomla

2023-03-3011:27:40

CWE-116

CWE-20

NCSC.ch

www.cve.org

cve-2023-28733

stored cross site scripting

acymailing plugin

joomla

authentication bypass

front-office access

anymailing

enterprise

version 8.3.0

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.0%

JSON

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign’s creation on front-office.

This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Newsletter Plugin for Joomla in the Enterprise version ",
    "vendor": "AcyMailing",
    "versions": [
      {
        "lessThan": "8.3.0",
        "status": "affected",
        "version": "0",
        "versionType": "git"
      }
    ]
  }
]

References

www.acymailing.com/change-log/

www.bugbounty.ch/advisories/CVE-2023-28733

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.0%

JSON

Related for CVELIST:CVE-2023-28733