cvelistv5 - cve-2023-40068

cve-2023-40068

Vulnerability from cvelistv5

Published

2023-08-21 08:13

Modified

2024-08-02 18:24

Severity

Summary

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.

References

Source	URL	Tags
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN98946408/	Third Party Advisory
vultures@jpcert.or.jp	https://wordpress.org/plugins/advanced-custom-fields/	Product
vultures@jpcert.or.jp	https://www.advancedcustomfields.com/	Product
vultures@jpcert.or.jp	https://www.advancedcustomfields.com/blog/acf-6-1-8/	Release Notes, Vendor Advisory

Impacted products

Vendor	Product
WP Engine	Advanced Custom Fields
WP Engine	Advanced Custom Fields Pro

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:24:55.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.advancedcustomfields.com/blog/acf-6-1-8/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://wordpress.org/plugins/advanced-custom-fields/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.advancedcustomfields.com/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN98946408/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Advanced Custom Fields",
          "vendor": "WP Engine",
          "versions": [
            {
              "status": "affected",
              "version": "versions 6.1.0 to 6.1.7"
            }
          ]
        },
        {
          "product": "Advanced Custom Fields Pro",
          "vendor": "WP Engine",
          "versions": [
            {
              "status": "affected",
              "version": "versions 6.1.0 to 6.1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-21T08:13:50.271Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.advancedcustomfields.com/blog/acf-6-1-8/"
        },
        {
          "url": "https://wordpress.org/plugins/advanced-custom-fields/"
        },
        {
          "url": "https://www.advancedcustomfields.com/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN98946408/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-40068",
    "datePublished": "2023-08-21T08:13:50.271Z",
    "dateReserved": "2023-08-09T02:20:30.651Z",
    "dateUpdated": "2024-08-02T18:24:55.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-40068\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2023-08-21T09:15:10.430\",\"lastModified\":\"2023-08-25T16:10:43.683\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:-:wordpress:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndIncluding\":\"6.1.7\",\"matchCriteriaId\":\"8EF03DA3-87E4-4449-BE67-43FEBE09952B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:pro:wordpress:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndIncluding\":\"6.1.7\",\"matchCriteriaId\":\"E5706ED3-7C74-487F-B198-A0EB7FAE9DD3\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/en/jp/JVN98946408/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://wordpress.org/plugins/advanced-custom-fields/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Product\"]},{\"url\":\"https://www.advancedcustomfields.com/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Product\"]},{\"url\":\"https://www.advancedcustomfields.com/blog/acf-6-1-8/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
  }
}

gsd-2023-40068

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-40068

Aliases

CVE-2023-40068

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-40068",
    "id": "GSD-2023-40068"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-40068"
      ],
      "details": "Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.",
      "id": "GSD-2023-40068",
      "modified": "2023-12-13T01:20:43.503849Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2023-40068",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Advanced Custom Fields",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "versions 6.1.0 to 6.1.7"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Advanced Custom Fields Pro",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "versions 6.1.0 to 6.1.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "WP Engine"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site scripting (XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.advancedcustomfields.com/blog/acf-6-1-8/",
            "refsource": "MISC",
            "url": "https://www.advancedcustomfields.com/blog/acf-6-1-8/"
          },
          {
            "name": "https://wordpress.org/plugins/advanced-custom-fields/",
            "refsource": "MISC",
            "url": "https://wordpress.org/plugins/advanced-custom-fields/"
          },
          {
            "name": "https://www.advancedcustomfields.com/",
            "refsource": "MISC",
            "url": "https://www.advancedcustomfields.com/"
          },
          {
            "name": "https://jvn.jp/en/jp/JVN98946408/",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN98946408/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:pro:wordpress:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.1.7",
                "versionStartIncluding": "6.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:-:wordpress:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.1.7",
                "versionStartIncluding": "6.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2023-40068"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wordpress.org/plugins/advanced-custom-fields/",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://wordpress.org/plugins/advanced-custom-fields/"
            },
            {
              "name": "https://www.advancedcustomfields.com/",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://www.advancedcustomfields.com/"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN98946408/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/jp/JVN98946408/"
            },
            {
              "name": "https://www.advancedcustomfields.com/blog/acf-6-1-8/",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://www.advancedcustomfields.com/blog/acf-6-1-8/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-08-25T16:10Z",
      "publishedDate": "2023-08-21T09:15Z"
    }
  }
}

cve-2023-40068

Vulnerability from jvndb

Published

2023-08-21 14:05

Modified

2024-03-25 17:55

Severity

5.4 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting

Details

WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79). Ryotaro Imamura of SB Technology Corp. and Satoo Nakano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type	URL
JVN	http://jvn.jp/en/jp/JVN98946408/index.html
CVE	https://www.cve.org/CVERecord?id=CVE-2023-40068
NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-40068
Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor	Product
WP Engine	Advanced Custom Fields

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000084.html",
  "dc:date": "2024-03-25T17:55+09:00",
  "dcterms:issued": "2023-08-21T14:05+09:00",
  "dcterms:modified": "2024-03-25T17:55+09:00",
  "description": "WordPress Plugin \"Advanced Custom Fields\" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nRyotaro Imamura of SB Technology Corp. and Satoo Nakano reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000084.html",
  "sec:cpe": {
    "#text": "cpe:/a:advancedcustomfields:advanced_custom_fields",
    "@product": "Advanced Custom Fields",
    "@vendor": "WP Engine",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "3.5",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "5.4",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2023-000084",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN98946408/index.html",
      "@id": "JVN#98946408",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-40068",
      "@id": "CVE-2023-40068",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-40068",
      "@id": "CVE-2023-40068",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "WordPress Plugin \"Advanced Custom Fields\" vulnerable to cross-site scripting"
}

ghsa-87x7-f7g8-6px2

Vulnerability from github

Published

2023-08-21 09:30

Modified

2024-04-04 07:04

Severity

5.4 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-40068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-21T09:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.",
  "id": "GHSA-87x7-f7g8-6px2",
  "modified": "2024-04-04T07:04:43Z",
  "published": "2023-08-21T09:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40068"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN98946408"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/advanced-custom-fields"
    },
    {
      "type": "WEB",
      "url": "https://www.advancedcustomfields.com"
    },
    {
      "type": "WEB",
      "url": "https://www.advancedcustomfields.com/blog/acf-6-1-8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Action not permitted

cve-2023-40068

Vulnerability from cvelistv5

gsd-2023-40068

Vulnerability from gsd

cve-2023-40068

Vulnerability from jvndb

ghsa-87x7-f7g8-6px2

Vulnerability from github

Tags