CVE-2022-1251

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-200 — Information Exposure6 documents6 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 67.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown ASK ME Inkthemes ASK ME

Timeline

PublishedAug 22

Latest updateOct 19

Description

The Ask me WordPress theme before 6.8.4 does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDinkthemes/ask_me< 6.8.4

▶CVEListV5unknown/ask_me6.8.4 — 6.8.4

🔴Vulnerability Details

GHSA

Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin↗2022-10-19

▶

GHSA

GHSA-c83j-mhmm-58g7: The Ask me WordPress theme before 6↗2022-08-23

▶

CVEList

Ask Me < 6.8.4 - CSRF in Edit Profile↗2022-08-22

▶

📋Vendor Advisories

Red Hat

jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin↗2022-10-19

▶

Microsoft

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no per↗2022-10-11

▶