crowdfavorite progressive_license 跨站请求伪造（csrf）

admin

0
文章

0
评论

2023-11-30 06:38:24 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

crowdfavorite progressive_license 跨站请求伪造（csrf）

CVE编号

CVE-2022-2171

利用情况

暂无

补丁情况

N/A

披露时间

2022-08-01

漏洞描述

The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://wpscan.com/vulnerability/11937296-7ecf-4b94-b274-06f7990dbede

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	crowdfavorite	progressive_license	*		Up to (including) 1.1.0
	运行在以下环境
	系统	amazon_2022	python-twisted	*		Up to (excluding) 22.4.0-123.amzn2022.0.1
	运行在以下环境
	系统	amazon_2023	python-twisted	*		Up to (excluding) 22.4.0-124.amzn2023.0.2
	运行在以下环境
	系统	centos_8	grafana-debuginfo	*		Up to (excluding) 7.5.15-3.el8
	运行在以下环境
	系统	fedora_34	grafana-debuginfo	*		Up to (excluding) 7.5.15-2.fc34
	运行在以下环境
	系统	fedora_35	grafana-debuginfo	*		Up to (excluding) 22.4.0-1.fc35
	运行在以下环境
	系统	fedora_36	grafana-debuginfo	*		Up to (excluding) 22.4.0-1.fc36
	运行在以下环境
	系统	fedora_37	python-twisted	*		Up to (excluding) 22.4.0-1.fc37
	运行在以下环境
	系统	fedora_EPEL_8	python-twisted	*		Up to (excluding) 19.10.0-4.el8
	运行在以下环境
	系统	opensuse_Leap_15.3	grafana	*		Up to (excluding) 0.10.0-150000.1.3.1
	运行在以下环境
	系统	opensuse_Leap_15.4	grafana	*		Up to (excluding) 8.3.10-150200.3.26.1
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 7.5.15-3.el8
	运行在以下环境
	系统	oracle_9	oraclelinux-release	*		Up to (excluding) 7.5.15-3.el9
	运行在以下环境
	系统	redhat_8	grafana-debuginfo	*		Up to (excluding) 7.5.15-3.el8
	运行在以下环境
	系统	redhat_9	grafana-debuginfo	*		Up to (excluding) 7.5.15-3.el9
	运行在以下环境
	系统	suse_12_SP5	golang-github-prometheus-node_exporter	*		Up to (excluding) 1.3.0-1.15.3