Vulnerability-Lookup

CVE-2021-24277 (GCVE-0-2021-24277)

Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28

Title

RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS)

Summary

The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues

Severity ?

No CVSS data available.

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

WPScan

References

URL

Tags

https://wpscan.com/vulnerability/8ebf56be-46c0-44…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Flector	RSS for Yandex Turbo	Affected: 1.30 , < 1.30 (custom)

Credits

Himamshu Dilip Kulkarni

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:28:22.658Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "RSS for Yandex Turbo",
          "vendor": "Flector",
          "versions": [
            {
              "lessThan": "1.30",
              "status": "affected",
              "version": "1.30",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Himamshu Dilip Kulkarni"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u0421\u0447\u0435\u0442\u0447\u0438\u043a\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-14T11:38:16",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "RSS for Yandex Turbo \u003c 1.30 - Authenticated Stored Cross-Site Scripting (XSS)",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-24277",
          "STATE": "PUBLIC",
          "TITLE": "RSS for Yandex Turbo \u003c 1.30 - Authenticated Stored Cross-Site Scripting (XSS)"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "RSS for Yandex Turbo",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "1.30",
                            "version_value": "1.30"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Flector"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Himamshu Dilip Kulkarni"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u0421\u0447\u0435\u0442\u0447\u0438\u043a\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4",
              "refsource": "CONFIRM",
              "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2021-24277",
    "datePublished": "2021-05-14T11:38:16",
    "dateReserved": "2021-01-14T00:00:00",
    "dateUpdated": "2024-08-03T19:28:22.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:wpuslugi:rss_for_yandex_turbo:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"1.30\", \"matchCriteriaId\": \"5AB710E4-11CA-4605-A6C1-C48F4DD95DC2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \\u0421\\u0447\\u0435\\u0442\\u0447\\u0438\\u043a\\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues\"}, {\"lang\": \"es\", \"value\": \"El plugin de WordPress RSS for Yandex Turbo versiones anteriores a 1.30 no sanean apropiadamente las entradas del usuario desde su pesta\\u00f1a de configuraci\\u00f3n \\u00d0\\u00a1\\u00d1\\u2021\\u00d0\\u00b5\\u00d1\\u201a\\u00d1\\u2021\\u00d0\\u00b8\\u00d0\\u00ba\\u00d0\\u00b8 antes de devolverlas a la p\\u00e1gina, lo que conlleva a problemas de tipo cross-site scripting almacenado y no autenticado\"}]",
      "id": "CVE-2021-24277",
      "lastModified": "2024-11-21T05:52:44.633",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-05-14T12:15:08.160",
      "references": "[{\"url\": \"https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-24277\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2021-05-14T12:15:08.160\",\"lastModified\":\"2024-11-21T05:52:44.633\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u0421\u0447\u0435\u0442\u0447\u0438\u043a\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues\"},{\"lang\":\"es\",\"value\":\"El plugin de WordPress RSS for Yandex Turbo versiones anteriores a 1.30 no sanean apropiadamente las entradas del usuario desde su pesta\u00f1a de configuraci\u00f3n \u00d0\u00a1\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u2021\u00d0\u00b8\u00d0\u00ba\u00d0\u00b8 antes de devolverlas a la p\u00e1gina, lo que conlleva a problemas de tipo cross-site scripting almacenado y no autenticado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wpuslugi:rss_for_yandex_turbo:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"1.30\",\"matchCriteriaId\":\"5AB710E4-11CA-4605-A6C1-C48F4DD95DC2\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

GHSA-58VX-VC62-43FR

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28

Details

The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its Ð¡Ñ‡ÐµÑ‚Ñ‡Ð¸ÐºÐ¸ settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-24277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-14T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u00d0\u00a1\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u2021\u00d0\u00b8\u00d0\u00ba\u00d0\u00b8 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues",
  "id": "GHSA-58vx-vc62-43fr",
  "modified": "2022-05-24T22:28:15Z",
  "published": "2022-05-24T22:28:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24277"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

FKIE_CVE-2021-24277

Vulnerability from fkie_nvd - Published: 2021-05-14 12:15 - Updated: 2024-11-21 05:52

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	contact@wpscan.com	https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4	Exploit, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	wpuslugi	rss_for_yandex_turbo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wpuslugi:rss_for_yandex_turbo:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "5AB710E4-11CA-4605-A6C1-C48F4DD95DC2",
              "versionEndExcluding": "1.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u0421\u0447\u0435\u0442\u0447\u0438\u043a\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues"
    },
    {
      "lang": "es",
      "value": "El plugin de WordPress RSS for Yandex Turbo versiones anteriores a 1.30 no sanean apropiadamente las entradas del usuario desde su pesta\u00f1a de configuraci\u00f3n \u00d0\u00a1\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u2021\u00d0\u00b8\u00d0\u00ba\u00d0\u00b8 antes de devolverlas a la p\u00e1gina, lo que conlleva a problemas de tipo cross-site scripting almacenado y no autenticado"
    }
  ],
  "id": "CVE-2021-24277",
  "lastModified": "2024-11-21T05:52:44.633",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-14T12:15:08.160",
  "references": [
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "contact@wpscan.com",
      "type": "Secondary"
    }
  ]
}

CNVD-2021-39961

Vulnerability from cnvd - Published: 2021-06-07

Title

WordPress plugin跨站脚本漏洞

Description

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 RSS for Yandex Turbo WordPress plugin 1.30之前版本存在跨站脚本漏洞。该漏洞源于程序未对输入进行正确过滤。攻击者可利用该漏洞导致跨站脚本执行。

Severity

低

Patch Name

WordPress plugin跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-24277

Impacted products

Name
WordPress RSS for Yandex Turbo WordPress plugin <1.30

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-24277",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-24277"
    }
  },
  "description": "WordPress\u662fWordPress\uff08Wordpress\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\n\nRSS for Yandex Turbo WordPress plugin 1.30\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u8f93\u5165\u8fdb\u884c\u6b63\u786e\u8fc7\u6ee4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u6267\u884c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-39961",
  "openTime": "2021-06-07",
  "patchDescription": "WordPress\u662fWordPress\uff08Wordpress\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\n\r\nRSS for Yandex Turbo WordPress plugin 1.30\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u8f93\u5165\u8fdb\u884c\u6b63\u786e\u8fc7\u6ee4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress plugin\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress RSS for Yandex Turbo WordPress plugin \u003c1.30"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-24277",
  "serverity": "\u4f4e",
  "submitTime": "2021-05-17",
  "title": "WordPress plugin\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

GSD-2021-24277

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-24277

Aliases

CVE-2021-24277

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-24277",
    "description": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u0421\u0447\u0435\u0442\u0447\u0438\u043a\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues",
    "id": "GSD-2021-24277"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-24277"
      ],
      "details": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u0421\u0447\u0435\u0442\u0447\u0438\u043a\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues",
      "id": "GSD-2021-24277",
      "modified": "2023-12-13T01:23:37.612095Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "contact@wpscan.com",
        "ID": "CVE-2021-24277",
        "STATE": "PUBLIC",
        "TITLE": "RSS for Yandex Turbo \u003c 1.30 - Authenticated Stored Cross-Site Scripting (XSS)"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "RSS for Yandex Turbo",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.30",
                          "version_value": "1.30"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Flector"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Himamshu Dilip Kulkarni"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u0421\u0447\u0435\u0442\u0447\u0438\u043a\u0438 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues"
          }
        ]
      },
      "generator": "WPScan CVE Generator",
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79 Cross-site Scripting (XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4",
            "refsource": "CONFIRM",
            "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:wpuslugi:rss_for_yandex_turbo:*:*:*:*:*:wordpress:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.30",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-24277"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its \u00d0\u00a1\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u2021\u00d0\u00b8\u00d0\u00ba\u00d0\u00b8 settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://wpscan.com/vulnerability/8ebf56be-46c0-4435-819f-dc30370eafa4"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-05-21T18:45Z",
      "publishedDate": "2021-05-14T12:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-24277 (GCVE-0-2021-24277)

GHSA-58VX-VC62-43FR

FKIE_CVE-2021-24277

CNVD-2021-39961

GSD-2021-24277

Tags

Sightings

Nomenclature