CVE-2023-2628

CWE-352Cross-Site Request Forgery (CSRF)4 documents4 sources
Severity
8.8HIGH
EPSS
0.2%
top 60.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown KivicareIqonic Kivicare
Timeline
PublishedJun 27
Latest updateMar 19

Description

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDiqonic/kivicare< 3.2.1
CVEListV5unknown/kivicare< 3.2.1

🔴Vulnerability Details

2
GHSA
GHSA-638h-xgr5-q9r9: The KiviCare WordPress plugin before 32023-06-27
CVEList
KiviCare Management System < 3.2.1 - Multiple CSRF2023-06-27

📋Vendor Advisories

1
Chrome
Stable Channel Update for Desktop: CVE-2024-26262024-03-19
CVE-2023-2628 (HIGH CVSS 8.8) | The KiviCare WordPress plugin befor | cvebase.io