CVE-2021-24879

The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://wpscan.com/vulnerability/6dfb4f61-c8cb-40ad-812f-139482be0fb4	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:supportcandy:supportcandy:*:*:*:*:*:wordpress:*:*

History

10 Feb 2022, 17:50

Type	Values Removed	Values Added
References	~~(MISC) https://wpscan.com/vulnerability/6dfb4f61-c8cb-40ad-812f-139482be0fb4 -~~	(MISC) https://wpscan.com/vulnerability/6dfb4f61-c8cb-40ad-812f-139482be0fb4 - Exploit, Third Party Advisory
First Time		Supportcandy Supportcandy supportcandy
CPE		cpe:2.3:a:supportcandy:supportcandy::::::wordpress::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 8.8

07 Feb 2022, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-02-07 16:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-24879

Mitre link : CVE-2021-24879

CVE.ORG link : CVE-2021-24879

JSON object : View

Products Affected

supportcandy

supportcandy

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2021-24879", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-02-07T16:15:42.537", "references": [{"url": "https://wpscan.com/vulnerability/6dfb4f61-c8cb-40ad-812f-139482be0fb4", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it."}, {"lang": "es", "value": "El plugin SupportCandy de WordPress versiones anteriores a 2.2.7, no presenta una comprobaci\u00f3n CSRF en la acci\u00f3n AJAX wpsc_tickets, ni presenta ning\u00fan tipo de saneo o escape en algunos de los campos filter, lo que podr\u00eda permitir a atacantes hacer que un usuario conectado que tenga acceso al panel de listas de tickets establezca un filtro arbitrario (almacenado en sus cookies) con una carga \u00fatil de tipo XSS en \u00e9l"}], "lastModified": "2022-02-10T17:50:16.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:supportcandy:supportcandy:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "FA18C347-55CA-4C4E-B366-E636427A241D", "versionEndExcluding": "2.2.7"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}