CVE-2015-10099 - OpenCVE

A vulnerability classified as critical has been found in CP Appointment Calendar Plugin up to 1.1.5 on WordPress. This affects the function dex_process_ready_to_go_appointment of the file dex_appointments.php. The manipulation of the argument itemnumber leads to sql injection. It is possible to initiate the attack remotely. The patch is named e29a9cdbcb0f37d887dd302a05b9e8bf213da01d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-225351.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Codepeople	Cp Appointment Calendar

Configuration 1 [-]

cpe:2.3:a:codepeople:cp_appointment_calendar:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://github.com/wp-plugins/cp-appointment-calendar/commit/e29a9cdbcb0f37d887dd302a05b9e8bf213da01d	Patch
https://vuldb.com/?ctiid.225351	Permissions Required Third Party Advisory
https://vuldb.com/?id.225351	Permissions Required Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2023-04-10T12:00:05.724Z

Updated: 2023-10-20T09:19:37.501Z

Reserved: 2023-04-08T06:53:13.525Z

Link: CVE-2015-10099

JSON object: View

NVD Information

Status : Modified

Published: 2023-04-10T12:15:07.093

Modified: 2024-05-17T01:03:07.870

Link: CVE-2015-10099

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2015-10099", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-04-08T06:53:13.525Z", "datePublished": "2023-04-10T12:00:05.724Z", "dateUpdated": "2023-10-20T09:19:37.501Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2023-10-20T09:19:37.501Z"}, "title": "CP Appointment Calendar Plugin dex_appointments.php dex_process_ready_to_go_appointment sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 SQL Injection"}]}], "affected": [{"vendor": "n/a", "product": "CP Appointment Calendar Plugin", "versions": [{"version": "1.1.0", "status": "affected"}, {"version": "1.1.1", "status": "affected"}, {"version": "1.1.2", "status": "affected"}, {"version": "1.1.3", "status": "affected"}, {"version": "1.1.4", "status": "affected"}, {"version": "1.1.5", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in CP Appointment Calendar Plugin up to 1.1.5 on WordPress. This affects the function dex_process_ready_to_go_appointment of the file dex_appointments.php. The manipulation of the argument itemnumber leads to sql injection. It is possible to initiate the attack remotely. The patch is named e29a9cdbcb0f37d887dd302a05b9e8bf213da01d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-225351."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in CP Appointment Calendar Plugin bis 1.1.5 f\u00fcr WordPress entdeckt. Sie wurde als kritisch eingestuft. Hiervon betroffen ist die Funktion dex_process_ready_to_go_appointment der Datei dex_appointments.php. Mittels dem Manipulieren des Arguments itemnumber mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Patch wird als e29a9cdbcb0f37d887dd302a05b9e8bf213da01d bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2023-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-04-08T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2023-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-04-26T10:24:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "VulDB GitHub Commit Analyzer", "type": "tool"}], "references": [{"url": "https://vuldb.com/?id.225351", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.225351", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/wp-plugins/cp-appointment-calendar/commit/e29a9cdbcb0f37d887dd302a05b9e8bf213da01d", "tags": ["patch"]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codepeople:cp_appointment_calendar:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1E05C44A-B339-4BBE-B9BB-98E7F5129D5A", "versionEndIncluding": "1.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in CP Appointment Calendar Plugin up to 1.1.5 on WordPress. This affects the function dex_process_ready_to_go_appointment of the file dex_appointments.php. The manipulation of the argument itemnumber leads to sql injection. It is possible to initiate the attack remotely. The patch is named e29a9cdbcb0f37d887dd302a05b9e8bf213da01d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-225351."}], "id": "CVE-2015-10099", "lastModified": "2024-05-17T01:03:07.870", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-04-10T12:15:07.093", "references": [{"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/wp-plugins/cp-appointment-calendar/commit/e29a9cdbcb0f37d887dd302a05b9e8bf213da01d"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://vuldb.com/?ctiid.225351"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://vuldb.com/?id.225351"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}