CVE-2020-8615 - OpenCVE

A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Themeum	Tutor Lms

Configuration 1 [-]

cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*

References

Link	Resource
http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html	Exploit Third Party Advisory VDB Entry
https://wpvulndb.com/vulnerabilities/10058	Third Party Advisory
https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/	Third Party Advisory
https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/	Third Party Advisory
https://www.themeum.com/tutor-lms-updated-v1-5-3/	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-04T19:01:06

Updated: 2020-03-02T17:06:16

Reserved: 2020-02-04T00:00:00

Link: CVE-2020-8615

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-04T20:15:14.933

Modified: 2022-01-01T20:03:48.243

Link: CVE-2020-8615

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-02T17:06:16", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/10058"}, {"tags": ["x_refsource_MISC"], "url": "https://www.themeum.com/tutor-lms-updated-v1-5-3/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8615", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://wpvulndb.com/vulnerabilities/10058", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/10058"}, {"name": "https://www.themeum.com/tutor-lms-updated-v1-5-3/", "refsource": "MISC", "url": "https://www.themeum.com/tutor-lms-updated-v1-5-3/"}, {"name": "https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/", "refsource": "MISC", "url": "https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/"}, {"name": "https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/", "refsource": "MISC", "url": "https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/"}, {"name": "http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8615", "datePublished": "2020-02-04T19:01:06", "dateReserved": "2020-02-04T00:00:00", "dateUpdated": "2020-03-02T17:06:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5D700DB6-8E7D-4B46-B69C-3DE36D7E81E2", "versionEndExcluding": "1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors)."}, {"lang": "es", "value": "Una vulnerabilidad de tipo CSRF en el plugin Tutor LMS versiones anteriores a 1.5.3 para WordPress, puede resultar en que un atacante se apruebe como instructor y lleve a cabo otras acciones maliciosas (tales como bloquear instructores leg\u00edtimos)."}], "id": "CVE-2020-8615", "lastModified": "2022-01-01T20:03:48.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-04T20:15:14.933", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/10058"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.themeum.com/tutor-lms-updated-v1-5-3/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}