CVE-2021-24374

CWE-639 — Insecure Direct Object Reference CWE-284 — Improper Access Control CWE-668 — Exposure to Wrong Sphere4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.8%

top 26.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Automattic Jetpack

Timeline

PublishedJun 21

Latest updateMay 24

Description

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDautomattic/jetpack< 9.8

▶Packagistautomattic/jetpack< 9.8

🔴Vulnerability Details

GHSA

JetPack Exposure of Resource to Wrong Sphere↗2022-05-24

▶

OSV

JetPack Exposure of Resource to Wrong Sphere↗2022-05-24

▶

CVEList

Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak↗2021-06-21

▶