CVE-2022-0147
published 2022-03-14CVE-2022-0147: The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape user data before outputting it back in attributes in the…
PriorityP334medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.60%
72.8th percentile
The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cookieinformation | wp-gdpr-compliance | < 2.0.8 | 2.0.8 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5r9x-pqj4-5w2w: The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2
ghsa_unreviewed·2022-03-15
CVE-2022-0147 [MEDIUM] CWE-79 GHSA-5r9x-pqj4-5w2w: The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2
The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
CISA
Microsoft Windows SMBv1 Information Disclosure Vulnerability
cisa·2022-05-24·CVSS 7.5
CVE-2017-0147 [HIGH] CWE-200 Microsoft Windows SMBv1 Information Disclosure Vulnerability
Vulnerability: Microsoft Windows SMBv1 Information Disclosure Vulnerability
Affected: Microsoft SMBv1 server
The SMBv1 server in Microsoft Windows allows remote attackers to obtain sensitive information from process memory via a crafted packet.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0147
Remediation Due Date: 2022-06-14
CISA
Cisco Secure Access Control System Java Deserialization Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2018-0147 [CRITICAL] CWE-20 Cisco Secure Access Control System Java Deserialization Vulnerability
Vulnerability: Cisco Secure Access Control System Java Deserialization Vulnerability
Affected: Cisco Secure Access Control System (ACS)
A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-0147
Remediation Due Date: 2022-04-15
No detection rules found.
Nuclei
WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-0147 [MEDIUM] WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Template:
id: CVE-2022-0147
info:
name: WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
author: 8arthur
severity: medium
description: |
WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inj
No writeups or analysis indexed.
2022-03-14
Published