CVE-2022-0212
published 2022-02-14CVE-2022-0212: The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window…
PriorityP335medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.29%
81.1th percentile
The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | spidercalendar | <= 1.5.65 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vcj8-8g5f-vhr9: The SpiderCalendar WordPress plugin through 1
ghsa_unreviewed·2022-02-15
CVE-2022-0212 [MEDIUM] CWE-79 GHSA-vcj8-8g5f-vhr9: The SpiderCalendar WordPress plugin through 1
The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue.
Red Hat
vim: out-of-bounds read in check_vim9_unlet() at src/vim9cmds.c
vendor_redhat·2022-08-12·CVSS 7.8
CVE-2022-2816 [HIGH] CWE-125 vim: out-of-bounds read in check_vim9_unlet() at src/vim9cmds.c
vim: out-of-bounds read in check_vim9_unlet() at src/vim9cmds.c
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.
An out-of-bounds read vulnerability was found in Vim in the check_vim9_unlet function in the vim9cmds.c file. This issue occurs because of invalid memory access when compiling the unlet command when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the out-of-bounds read, causing the application to crash, possibly executing code and corrupting memory.
Statement: Red Hat Product Security has rated this issue as having a Low security impact because the user has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is equivalent
No detection rules found.
Nuclei
WordPress Spider Calendar <=1.5.65 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-0212 [MEDIUM] WordPress Spider Calendar <=1.5.65 - Cross-Site Scripting
WordPress Spider Calendar =1.5.66) or apply the vendor-supplied patch to fix the XSS vulnerability.
reference:
- https://wpscan.com/vulnerability/15be2d2b-baa3-4845-82cf-3c351c695b47
- https://wordpress.org/plugins/spider-event-calendar/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0212
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0212
cwe-id: CWE-79
epss-score: 0.02102
epss-percentile: 0.84093
cpe: cpe:2.3:a:10web:spidercalendar:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: 10web
product: spidercalendar
framework: wordpress
tags: cve2022,cve,xss,wpscan,wordpress,wp-plugin,wp,spider-event-calendar,unauthenticated,10web,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=window&
No writeups or analysis indexed.
2022-02-14
Published