Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-3219Authorization Bypass Through User-Controlled Key in Eventon

CWE-639Authorization Bypass Through User-Controlled Key5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
74.0%
top 1.17%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Myeventon Eventon
Timeline
PublishedJul 10
Latest updateAug 4

Description

The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

NVDmyeventon/eventon< 2.1.2

🔴Vulnerability Details

2
GHSA
GHSA-6ccc-8wgj-7rf9: The EventON WordPress plugin before 22023-07-10
CVEList
EventON < 2.1.2 - Unauthenticated Post Access via IDOR2023-07-10

💥Exploits & PoCs

2
Exploit-DB
Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Post Access via IDOR2023-08-04
Nuclei
EventON Lite < 2.1.2 - Arbitrary File Download
CVE-2023-3219 — Myeventon Eventon vulnerability | cvebase