CVE-2024-2033 — Missing Authorization in 3RK Video Conferencing With Zoom

CWE-862 — Missing Authorization CWE-287 — Improper Authentication4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 52.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

J 3RK Video Conferencing With Zoom

Timeline

PublishedApr 9

Latest updateDec 2

Description

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the get_assign_host_id AJAX action. This makes it possible for authenticated attackers, with subscriber access or higher, to enumerate usernames, emails and IDs of all users on a site.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5j_3rk/video_conferencing_with_zoom4.4.5

🔴Vulnerability Details

GHSA

AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s↗2024-12-02

▶

CVEList

Video Conferencing with Zoom <= 4.4.5 - Sensitive Information Exposure↗2024-04-09

▶

GHSA

GHSA-5853-h8ff-m754: The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4↗2024-04-09

▶