CVE-2023-4269

CWE-863 — Incorrect Authorization CWE-862 — Missing Authorization6 documents4 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 70.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown User Activity LOG Solwininfotech User Activity LOG

Timeline

PublishedSep 4

Latest updateSep 19

Description

The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5unknown/user_activity_log< 1.6.6

▶NVDsolwininfotech/user_activity_log< 1.6.6

🔴Vulnerability Details

OSV

linux-oem-6.0 vulnerabilities↗2023-09-19

▶

GHSA

GHSA-j59m-qf5r-w9hr: The User Activity Log WordPress plugin before 1↗2023-09-04

▶

CVEList

User Activity Log < 1.6.6 - Subscriber+ Log Export↗2023-09-04

▶

OSV

linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities↗2023-06-16

▶

OSV

linux-oem-6.1 vulnerabilities↗2023-04-19

▶