CVE-2021-34638 - OpenCVE

Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Wpdownloadmanager	Wordpress Download Manager

Configuration 1 [-]

cpe:2.3:a:wpdownloadmanager:wordpress_download_manager:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Wordfence

Published: 2021-08-05T20:18:33

Updated: 2021-08-05T20:18:33

Reserved: 2021-06-10T00:00:00

Link: CVE-2021-34638

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-08-05T21:15:12.307

Modified: 2021-08-12T17:37:53.880

Link: CVE-2021-34638

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "WordPress Download Manager", "vendor": "W3 Eden, Inc.", "versions": [{"lessThanOrEqual": "3.1.24", "status": "affected", "version": "3.1.24", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Ramuel Gall, Wordfence"}], "descriptions": [{"lang": "en", "value": "Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-540", "description": "CWE-540 Information Exposure Through Source Code", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-05T20:18:33", "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/"}], "source": {"discovery": "INTERNAL"}, "title": "WordPress Download Manager <= 3.1.24 Authenticated Directory Traversal", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@wordfence.com", "ID": "CVE-2021-34638", "STATE": "PUBLIC", "TITLE": "WordPress Download Manager <= 3.1.24 Authenticated Directory Traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WordPress Download Manager", "version": {"version_data": [{"version_affected": "<=", "version_name": "3.1.24", "version_value": "3.1.24"}]}}]}, "vendor_name": "W3 Eden, Inc."}]}}, "credit": [{"lang": "eng", "value": "Ramuel Gall, Wordfence"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}, {"description": [{"lang": "eng", "value": "CWE-540 Information Exposure Through Source Code"}]}]}, "references": {"reference_data": [{"name": "https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/", "refsource": "MISC", "url": "https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/"}]}, "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "assignerShortName": "Wordfence", "cveId": "CVE-2021-34638", "datePublished": "2021-08-05T20:18:33", "dateReserved": "2021-06-10T00:00:00", "dateUpdated": "2021-08-05T20:18:33", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpdownloadmanager:wordpress_download_manager:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8BA873E8-78A4-4653-A737-1B91C823F13E", "versionEndIncluding": "3.1.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions."}, {"lang": "es", "value": "Un Salto de Directorio Autenticado en WordPress Download Manager versiones anteriores a 3.1.24 incluy\u00e9ndola, permite a usuarios autenticados (Contributor+) obtener informaci\u00f3n confidencial de archivos de configuraci\u00f3n, adem\u00e1s de permitir a usuarios Author+ llevar a cabo ataques de tipo XSS, al ajustar Download template a un archivo que contiene informaci\u00f3n de configuraci\u00f3n o un JavaScript cargado con una extensi\u00f3n de imagen Este problema afecta a: WordPress Download Manager versi\u00f3n 3.1.24 y versiones anteriores"}], "id": "CVE-2021-34638", "lastModified": "2021-08-12T17:37:53.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2021-08-05T21:15:12.307", "references": [{"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-540"}, {"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}