jvndb - jvndb-2024-000093

jvndb-2024-000093

Vulnerability from jvndb

Published

2024-09-04 13:01

Modified

2024-09-04 13:01

Severity

5.4 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting

Details

The field labels in WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79). Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type	URL
JVN	https://jvn.jp/en/jp/JVN67963942/index.html
CVE	https://www.cve.org/CVERecord?id=CVE-2024-45429
Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor	Product
WP Engine	Advanced Custom Fields

Show details on JVN DB website

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000093.html",
  "dc:date": "2024-09-04T13:01+09:00",
  "dcterms:issued": "2024-09-04T13:01+09:00",
  "dcterms:modified": "2024-09-04T13:01+09:00",
  "description": "The field labels in WordPress Plugin \"Advanced Custom Fields\" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nRyo Sotoyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000093.html",
  "sec:cpe": {
    "#text": "cpe:/a:advancedcustomfields:advanced_custom_fields",
    "@product": "Advanced Custom Fields",
    "@vendor": "WP Engine",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "5.4",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2024-000093",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN67963942/index.html",
      "@id": "JVN#67963942",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-45429",
      "@id": "CVE-2024-45429",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "WordPress Plugin \"Advanced Custom Fields\" vulnerable to cross-site scripting"
}

cve-2024-45429

Vulnerability from cvelistv5

Published

2024-09-04 23:07

Modified

2024-09-05 13:33

Severity

Summary

Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.

References

URL	Tags
https://www.advancedcustomfields.com/blog/acf-6-3-6/
https://wordpress.org/plugins/advanced-custom-fields/
https://www.advancedcustomfields.com/
https://jvn.jp/en/jp/JVN67963942/

Impacted products

Vendor	Product
WP Engine	Advanced Custom Fields
WP Engine	Advanced Custom Fields Pro

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45429",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-05T13:33:40.928462Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-05T13:33:49.318Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Advanced Custom Fields",
          "vendor": "WP Engine",
          "versions": [
            {
              "status": "affected",
              "version": "6.3.5 and earlier"
            }
          ]
        },
        {
          "product": "Advanced Custom Fields Pro",
          "vendor": "WP Engine",
          "versions": [
            {
              "status": "affected",
              "version": "6.3.5 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the \u0027capability\u0027 setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker\u0027s."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-04T23:07:58.383Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.advancedcustomfields.com/blog/acf-6-3-6/"
        },
        {
          "url": "https://wordpress.org/plugins/advanced-custom-fields/"
        },
        {
          "url": "https://www.advancedcustomfields.com/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN67963942/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-45429",
    "datePublished": "2024-09-04T23:07:58.383Z",
    "dateReserved": "2024-08-29T00:56:56.778Z",
    "dateUpdated": "2024-09-05T13:33:49.318Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.