CVE-2021-24170 - OpenCVE

The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cozmoslabs	User Profile Picture

Configuration 1 [-]

cpe:2.3:a:cozmoslabs:user_profile_picture:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc	Exploit Third Party Advisory
https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2021-04-05T18:27:44

Updated: 2021-04-05T18:27:44

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24170

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-05T19:15:15.797

Modified: 2021-04-09T19:34:59.337

Link: CVE-2021-24170

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "User Profile Picture", "vendor": "Unknown", "versions": [{"lessThan": "2.5.0", "status": "affected", "version": "2.5.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Chloe Chamberland"}], "descriptions": [{"lang": "en", "value": "The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-05T18:27:44", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc"}, {"tags": ["x_refsource_MISC"], "url": "https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/"}], "source": {"discovery": "UNKNOWN"}, "title": "User Profile Picture < 2.5.0 - Sensitive Information Disclosure", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24170", "STATE": "PUBLIC", "TITLE": "User Profile Picture < 2.5.0 - Sensitive Information Disclosure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "User Profile Picture", "version": {"version_data": [{"version_affected": "<", "version_name": "2.5.0", "version_value": "2.5.0"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Chloe Chamberland"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc"}, {"name": "https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/", "refsource": "MISC", "url": "https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24170", "datePublished": "2021-04-05T18:27:44", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2021-04-05T18:27:44", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cozmoslabs:user_profile_picture:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "73606509-3C7C-402D-9043-A9997FA8BC16", "versionEndExcluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information."}, {"lang": "es", "value": "El endpoint de la API REST get_users en el plugin de WordPress User Profile Picture versiones anteriores a 2.5.0, devolvi\u00f3 m\u00e1s informaci\u00f3n de la necesaria para su funcionalidad a usuarios con la capacidad upload_files. Esto inclu\u00eda hash de contrase\u00f1a, claves de activaci\u00f3n de usuario con hash, nombres de usuario, correos electr\u00f3nicos y otra informaci\u00f3n menos confidencial"}], "id": "CVE-2021-24170", "lastModified": "2021-04-09T19:34:59.337", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-05T19:15:15.797", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc"}, {"source": "contact@wpscan.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "contact@wpscan.com", "type": "Secondary"}]}