CVE-2021-24549

The AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory via a path traversal attack.

CVSS v3 4.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://codevigilant.com/disclosure/2021/wp-plugin-aceide/	Exploit Third Party Advisory
https://wpscan.com/vulnerability/c594abaf-b152-448c-8a20-9b3267fe547a	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:aceide_project:aceide:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2021-08-23 12:15

Updated : 2021-08-26 19:23

NVD link : CVE-2021-24549

Mitre link : CVE-2021-24549

CVE.ORG link : CVE-2021-24549

JSON object : View

Products Affected

aceide_project

aceide

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2021-24549", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2021-08-23T12:15:09.567", "references": [{"url": "https://codevigilant.com/disclosure/2021/wp-plugin-aceide/", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/c594abaf-b152-448c-8a20-9b3267fe547a", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "The AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory via a path traversal attack."}, {"lang": "es", "value": "El plugin AceIDE WordPress versiones hasta 2.6.2, no sanea ni comprueba la entrada del usuario que se anexa a las rutas del sistema antes de usarla en varias acciones, como la lectura de archivos arbitrarios desde el servidor. Esto permite a usuarios con altos privilegios, como el administrador, acceder a cualquier archivo en el servidor web fuera del directorio del blog por medio de un ataque de salto de ruta."}], "lastModified": "2021-08-26T19:23:58.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aceide_project:aceide:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "E62E3E51-92FA-4E2F-A2B5-B3D2140B8507", "versionEndIncluding": "2.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}