CVE-2022-2798 - OpenCVE

The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Wpaffiliatemanager	Affiliates Manager

Configuration 1 [-]

cpe:2.3:a:wpaffiliatemanager:affiliates_manager:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2022-09-16T08:40:34

Updated: 2022-09-16T08:40:34

Reserved: 2022-08-12T00:00:00

Link: CVE-2022-2798

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-16T09:15:10.960

Modified: 2022-09-20T14:28:53.980

Link: CVE-2022-2798

JSON object: View

Redhat Information

No data.

CWE

CWE-1236

{"containers": {"cna": {"affected": [{"product": "Affiliates Manager", "vendor": "Unknown", "versions": [{"lessThan": "2.9.14", "status": "affected", "version": "2.9.14", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "nhatnam"}], "descriptions": [{"lang": "en", "value": "The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T08:40:34", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd"}], "source": {"discovery": "EXTERNAL"}, "title": "Affiliates Manager < 2.9.14 - Affiliate CSV Injection", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2022-2798", "STATE": "PUBLIC", "TITLE": "Affiliates Manager < 2.9.14 - Affiliate CSV Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Affiliates Manager", "version": {"version_data": [{"version_affected": "<", "version_name": "2.9.14", "version_value": "2.9.14"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "nhatnam"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-2798", "datePublished": "2022-09-16T08:40:34", "dateReserved": "2022-08-12T00:00:00", "dateUpdated": "2022-09-16T08:40:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}