CVE-2022-3511

CWE-639 — Insecure Direct Object Reference3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 38.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Awesome Support Getawesomesupport Awesome Support

Timeline

PublishedNov 28

Description

The Awesome Support WordPress plugin before 6.1.2 does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5unknown/awesome_support< 6.1.2

▶NVDgetawesomesupport/awesome_support< 6.1.2

🔴Vulnerability Details

GHSA

GHSA-25v3-3ww8-wr27: The Awesome Support WordPress plugin before 6↗2022-11-28

▶

CVEList

Awesome Support < 6.1.2 - Subscriber+ Arbitrary Exported Tickets Download↗2022-11-28

▶