CVE-2021-24823

CWE-352Cross-Site Request Forgery (CSRF)CWE-379CWE-378CWE-668Exposure to Wrong Sphere5 documents5 sources
Severity
8.1HIGH
EPSS
0.2%
top 62.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Support BoardSchiocco Support Board
Timeline
PublishedFeb 28
Latest updateMay 10

Description

The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

CVEListV5unknown/support_board3.3.63.3.6

🔴Vulnerability Details

3
GHSA
Local Information Disclosure Vulnerability in io.netty:netty-codec-http2022-05-10
GHSA
GHSA-v252-c336-2rvr: The Support Board WordPress plugin before 32022-03-01
CVEList
Support Board < 3.3.6 - Arbitrary File Deletion via CSRF2022-02-28

📋Vendor Advisories

1
Red Hat
netty: world readable temporary file containing sensitive data2022-05-06
CVE-2021-24823 (HIGH CVSS 8.1) | The Support Board WordPress plugin | cvebase.io