cve-2024-6332
Vulnerability from cvelistv5
Published
2024-09-05 09:29
Modified
2024-09-05 19:38
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Booking for Appointments and Events Calendar – Amelia Premium <= 7.7 and Lite <= 1.2.3 - Missing Authorization to Sensitive Information Exposure
References
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/ameliabooking/trunk/assets/js/tinymce/amelia-mce.js#L741Product
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/ameliabooking/trunk/public/js/tinymce/amelia-mce.js#L741Product
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1?source=cveThird Party Advisory
Impacted products
ameliabookingBooking for Appointments and Events Calendar – Amelia Premium
ameliabookingBooking for Appointments and Events Calendar – Amelia
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6332",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-05T19:38:01.113304Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-05T19:38:14.016Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Booking for Appointments and Events Calendar \u2013 Amelia Premium",
          "vendor": "ameliabooking",
          "versions": [
            {
              "lessThanOrEqual": "7.7",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Booking for Appointments and Events Calendar \u2013 Amelia",
          "vendor": "ameliabooking",
          "versions": [
            {
              "lessThanOrEqual": "1.2.3",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nadim Zubidat"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the \u0027ameliaButtonCommand\u0027 function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-05T09:29:48.753Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/assets/js/tinymce/amelia-mce.js#L741"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/public/js/tinymce/amelia-mce.js#L741"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-04T21:24:51.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Booking for Appointments and Events Calendar \u2013 Amelia Premium \u003c= 7.7 and Lite \u003c= 1.2.3 - Missing Authorization to Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-6332",
    "datePublished": "2024-09-05T09:29:48.753Z",
    "dateReserved": "2024-06-25T17:38:01.385Z",
    "dateUpdated": "2024-09-05T19:38:14.016Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-6332\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2024-09-05T10:15:02.970\",\"lastModified\":\"2024-09-12T12:45:37.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the \u0027ameliaButtonCommand\u0027 function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version.\"},{\"lang\":\"es\",\"value\":\"Los complementos Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite para WordPress son vulnerables al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n \u0027ameliaButtonCommand\u0027 en todas las versiones hasta la Premium 7.7 y la Lite 1.2.3 incluida. Esto permite que atacantes no autenticados accedan a los detalles del calendario de los empleados, incluidos los tokens OAuth de Google Calendar en la versi\u00f3n premium.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tmsproducts:amelia:*:*:*:*:lite:wordpress:*:*\",\"versionEndIncluding\":\"1.2.3\",\"matchCriteriaId\":\"660A14FE-663B-45F0-82A4-5F9A1169B5C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tmsproducts:amelia:*:*:*:*:premium:wordpress:*:*\",\"versionEndIncluding\":\"7.7\",\"matchCriteriaId\":\"382CBCFD-4A86-42F8-BE43-6C0E165FFB96\"}]}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/assets/js/tinymce/amelia-mce.js#L741\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/public/js/tinymce/amelia-mce.js#L741\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1?source=cve\",\"source\":\"security@wordfence.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.