CVE-2020-35942 — Cross-site Scripting in Nextgen Gallery

CWE-79 — Cross-site Scripting CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 45.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagely Nextgen Gallery

Timeline

PublishedFeb 9

Latest updateMay 24

Description

A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDimagely/nextgen_gallery< 3.5.0

🔴Vulnerability Details

GHSA

GHSA-phg2-9429-v8rx: A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3↗2022-05-24

▶

CVEList

CVE-2020-35942: A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3↗2021-02-09

▶