CVE-2024-9862
Authorization Bypass Through User-Controlled Key (CWE-639)
Published: Oct 17, 2024 / Updated: 34d ago
010
CVSS 9.8EPSS 0.06%Critical
CVE info copied to clipboard
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
CVE Assignment
NVD published the first details for CVE-2024-9862
Oct 17, 2024 at 2:15 AM
First Article
Feedly found the first article mentioning CVE-2024-9862. See article
Oct 17, 2024 at 2:15 AM / National Vulnerability Database
CVSS Estimate
Feedly estimated the CVSS score as HIGH
Oct 17, 2024 at 2:15 AM
EPSS
EPSS Score was set to: 0.06% (Percentile: 28.4%)
Oct 17, 2024 at 10:04 AM
Detection in Vulnerability Scanners
Detection for the vulnerability has been added to Qualys (152337)
Oct 28, 2024 at 7:53 AM
Affected Systems
Wordpress/wordpress
+null more
News
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
US-CERT Vulnerability Summary for the Week of October 14, 2024
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 [email protected] acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.--Social Link Groups Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309--PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Critical - CVE-2024-9862 - The Miniorange OTP Verification with Firebase...
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing...
See 7 more articles and social media posts