CVE-2023-2271 — Cross-Site Request Forgery in Tiempo

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 82.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tiempo

Timeline

PublishedAug 16

Description

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDtiempo/tiempo0.1.2

🔴Vulnerability Details

CVEList

Tiempo.com <= 0.1.2 - Shortcode Deletion via CSRF↗2023-08-16

▶

GHSA

GHSA-g78h-3x72-cmgm: The Tiempo↗2023-08-16

▶