CVE-2022-0919 (GCVE-0-2022-0919)

Vulnerability from cvelistv5 – Published: 2022-04-11 14:40 – Updated: 2024-08-02 23:47
VLAI?
Summary
The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
Unknown Salon booking system Affected: 7.6.3 , < 7.6.3 (custom)
Create a notification for this product.
Credits
Huli from Cymetrics
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:47:42.636Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Salon booking system",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "7.6.3",
              "status": "affected",
              "version": "7.6.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Salon Booking System Pro",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "7.6.3",
              "status": "affected",
              "version": "7.6.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Huli from Cymetrics"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other\u0027s booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-11T14:40:56",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Salon booking system \u003c 7.6.3 - Unauthenticated Sensitive Data Disclosure",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-0919",
          "STATE": "PUBLIC",
          "TITLE": "Salon booking system \u003c 7.6.3 - Unauthenticated Sensitive Data Disclosure"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Salon booking system",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "7.6.3",
                            "version_value": "7.6.3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Salon Booking System Pro",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "7.6.3",
                            "version_value": "7.6.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Huli from Cymetrics"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other\u0027s booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it."
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862 Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-0919",
    "datePublished": "2022-04-11T14:40:56",
    "dateReserved": "2022-03-10T00:00:00",
    "dateUpdated": "2024-08-02T23:47:42.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:salonbookingsystem:salon_booking_system:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"7.6.3\", \"matchCriteriaId\": \"0AFD6C6A-880C-4655-B82E-30C6FFA6062C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other\u0027s booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.\"}, {\"lang\": \"es\", \"value\": \"Los plugins Salon booking system Free y pro de WordPress versiones anteriores a 7.6.3, no presentan la autorizaci\\u00f3n apropiada cuando buscan reservas, lo que permite a cualquier usuario no autenticado buscar las reservas de otros, as\\u00ed como recuperar informaci\\u00f3n confidencial sobre las reservas, como el nombre completo, el correo electr\\u00f3nico y el n\\u00famero de tel\\u00e9fono de la persona que las reserv\\u00f3\"}]",
      "id": "CVE-2022-0919",
      "lastModified": "2024-11-21T06:39:40.110",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-04-11T15:15:08.690",
      "references": "[{\"url\": \"https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-0919\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-04-11T15:15:08.690\",\"lastModified\":\"2024-11-21T06:39:40.110\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other\u0027s booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.\"},{\"lang\":\"es\",\"value\":\"Los plugins Salon booking system Free y pro de WordPress versiones anteriores a 7.6.3, no presentan la autorizaci\u00f3n apropiada cuando buscan reservas, lo que permite a cualquier usuario no autenticado buscar las reservas de otros, as\u00ed como recuperar informaci\u00f3n confidencial sobre las reservas, como el nombre completo, el correo electr\u00f3nico y el n\u00famero de tel\u00e9fono de la persona que las reserv\u00f3\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:salonbookingsystem:salon_booking_system:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"7.6.3\",\"matchCriteriaId\":\"0AFD6C6A-880C-4655-B82E-30C6FFA6062C\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.