Lucene search

[email protected]NVD:CVE-2024-36679

HistoryJun 19, 2024 - 9:15 p.m.

CVE-2024-36679

2024-06-1921:15:57

CWE-94

[email protected]

web.nvd.nist.gov

module live chat pro

php code injection

predictable token

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

Percentile

9.0%

JSON

In the module “Module Live Chat Pro (All in One Messaging)” (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method Lcp::saveTranslations() suffer of a white writer that can inject PHP code into a PHP file.

References

security.friendsofpresta.org/modules/2024/06/18/livechatpro.html

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2024-36679

cvelist1 cve1 vulnrichment1