CVE-2024-1295

CWE-639 — Insecure Direct Object Reference CWE-12957 documents5 sources

Severity

6.5MEDIUM

EPSS

0.9%

top 25.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Events-calendar-pro Unknown THE Events Calendar TRI THE Events Calendar

Timeline

PublishedJun 14

Latest updateJan 8

Description

The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDtri/the_events_calendar< 6.4.0.1

▶CVEListV5unknown/events-calendar-pro< 6.4.0.1

▶CVEListV5unknown/the_events_calendar< 6.4.0.1

🔴Vulnerability Details

GHSA

Apache Airflow: Sensitive configuration values are not masked in the logs by default↗2024-11-15

▶

GHSA

Aimeos HTML client may potentially reveal sensitive information in error log↗2024-06-25

▶

CVEList

The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access↗2024-06-14

▶

GHSA

GHSA-66gp-w3xm-x3cc: The events-calendar-pro WordPress plugin before 6↗2024-06-14

▶

📋Vendor Advisories

Red Hat

kernel: powerpc/prom_init: Fixup missing powermac #size-cells↗2025-01-08

▶

Red Hat

oauth-server-container: oauth-server-container logs client secret in debug level↗2024-11-14

▶