All the vulnerabilites related to AYS Pro Plugins - Survey Maker
cve-2023-34423
Vulnerability from cvelistv5
Published
2024-04-03 07:09
Modified
2024-11-06 14:40
Severity ?
EPSS score ?
Summary
Survey Maker prior to 3.6.4 contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product with the administrative privilege.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| AYS Pro Plugins | Survey Maker |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T17:42:37.716453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T14:40:54.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.128Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/survey-maker/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN51098626/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Survey Maker",
"vendor": "AYS Pro Plugins",
"versions": [
{
"status": "affected",
"version": "prior to 3.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Survey Maker prior to 3.6.4 contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product with the administrative privilege."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-03T07:09:42.923Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/survey-maker/"
},
{
"url": "https://jvn.jp/en/jp/JVN51098626/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-34423",
"datePublished": "2024-04-03T07:09:42.923Z",
"dateReserved": "2023-08-24T08:08:44.050Z",
"dateUpdated": "2024-11-06T14:40:54.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35764
Vulnerability from cvelistv5
Published
2024-04-03 07:10
Modified
2024-08-12 20:21
Severity ?
EPSS score ?
Summary
Insufficient verification of data authenticity issue in Survey Maker prior to 3.6.4 allows a remote unauthenticated attacker to spoof an IP address when posting.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| AYS Pro Plugins | Survey Maker |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:44.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/survey-maker/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN51098626/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ays-pro:survey_maker:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "survey_maker",
"vendor": "ays-pro",
"versions": [
{
"lessThan": "4.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-35764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T20:18:24.312370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T20:21:25.142Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Survey Maker",
"vendor": "AYS Pro Plugins",
"versions": [
{
"status": "affected",
"version": "prior to 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient verification of data authenticity issue in Survey Maker prior to 3.6.4 allows a remote unauthenticated attacker to spoof an IP address when posting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient verification of data authenticity",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-03T07:10:07.459Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/survey-maker/"
},
{
"url": "https://jvn.jp/en/jp/JVN51098626/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-35764",
"datePublished": "2024-04-03T07:10:07.459Z",
"dateReserved": "2023-08-24T08:08:43.129Z",
"dateUpdated": "2024-08-12T20:21:25.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2024-000035
Vulnerability from jvndb
Published
2024-03-27 14:48
Modified
2024-03-27 14:48
Severity ?
Summary
Multiple vulnerabilities in WordPress Plugin "Survey Maker"
Details
WordPress Plugin "Survey Maker" provided by AYS Pro Plugins contains multiple vulnerabilities listed below.
<ul><li>Stored cross-site scripting (CWE-79) - CVE-2023-34423</li>
<li>Insufficient verification of data authenticity (CWE-345) - CVE-2023-35764</li></ul>
Atsuya Yoda of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN51098626/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2023-34423 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2023-35764 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| AYS Pro Plugins | Survey Maker | |
| AYS Pro Plugins | Survey Maker |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000035.html",
"dc:date": "2024-03-27T14:48+09:00",
"dcterms:issued": "2024-03-27T14:48+09:00",
"dcterms:modified": "2024-03-27T14:48+09:00",
"description": "WordPress Plugin \"Survey Maker\" provided by AYS Pro Plugins contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting (CWE-79) - CVE-2023-34423\u003c/li\u003e\r\n\u003cli\u003eInsufficient verification of data authenticity (CWE-345) - CVE-2023-35764\u003c/li\u003e\u003c/ul\u003e\r\nAtsuya Yoda of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000035.html",
"sec:cpe": [
{
"#text": "cpe:/a:ays-pro:survey_maker",
"@product": "Survey Maker",
"@vendor": "AYS Pro Plugins",
"@version": "2.2"
},
{
"#text": "cpe:/a:ays-pro:survey_maker",
"@product": "Survey Maker",
"@vendor": "AYS Pro Plugins",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2024-000035",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN51098626/index.html",
"@id": "JVN#51098626",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-34423",
"@id": "CVE-2023-34423",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-35764",
"@id": "CVE-2023-35764",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in WordPress Plugin \"Survey Maker\""
}