Details of VAR-201911-0953

ID

VAR-201911-0953

CVE

CVE-2019-17515

TITLE

WordPress for CleanTalk cleantalk-spam-protect Plug-in vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-012015

DESCRIPTION

The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter. The component is: inc/cleantalk-users.php and inc/cleantalk-comments.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. CleanTalk cleantalk-spam-protect is a spam protection plugin used in it. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2019-17515 // JVNDB: JVNDB-2019-012015 // VULHUB: VHN-149769

AFFECTED PRODUCTS

vendor:	cleantalk	model:	spam protection\, antispam\, firewall	scope:	lt	version:	5.127.4	Trust: 1.0
vendor:	cleantalk	model:	spam protection, antispam, firewall	scope:	lt	version:	5.127.4	Trust: 0.8

sources: JVNDB: JVNDB-2019-012015 // NVD: CVE-2019-17515

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-17515
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-17515
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201911-764
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-149769
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-17515
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-149769
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-17515
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2019-17515
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-149769 // JVNDB: JVNDB-2019-012015 // CNNVD: CNNVD-201911-764 // NVD: CVE-2019-17515

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-149769 // JVNDB: JVNDB-2019-012015 // NVD: CVE-2019-17515

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-764

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201911-764

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012015

PATCH

title:	Changeset 2172333	url:	https://plugins.trac.wordpress.org/changeset/2172333	Trust: 0.8
title:	Spam protection, AntiSpam, FireWall by CleanTalk	url:	https://wordpress.org/plugins/cleantalk-spam-protect/#developers	Trust: 0.8
title:	WordPress CleanTalk cleantalk-spam-protect Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=103057	Trust: 0.6

sources: JVNDB: JVNDB-2019-012015 // CNNVD: CNNVD-201911-764

EXTERNAL IDS

db:	NVD	id:	CVE-2019-17515	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-012015	Trust: 0.8
db:	CNNVD	id:	CNNVD-201911-764	Trust: 0.7
db:	VULHUB	id:	VHN-149769	Trust: 0.1

sources: VULHUB: VHN-149769 // JVNDB: JVNDB-2019-012015 // CNNVD: CNNVD-201911-764 // NVD: CVE-2019-17515

REFERENCES

url:	https://plugins.trac.wordpress.org/changeset/2172333	Trust: 1.7
url:	https://wordpress.org/plugins/cleantalk-spam-protect/#developers	Trust: 1.7
url:	https://wpvulndb.com/vulnerabilities/9949	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17515	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17515	Trust: 0.8

sources: VULHUB: VHN-149769 // JVNDB: JVNDB-2019-012015 // CNNVD: CNNVD-201911-764 // NVD: CVE-2019-17515

SOURCES

db:	VULHUB	id:	VHN-149769
db:	JVNDB	id:	JVNDB-2019-012015
db:	CNNVD	id:	CNNVD-201911-764
db:	NVD	id:	CVE-2019-17515

LAST UPDATE DATE

2024-11-23T22:41:17.895000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-149769	date:	2019-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-012015	date:	2019-11-22T00:00:00
db:	CNNVD	id:	CNNVD-201911-764	date:	2019-12-10T00:00:00
db:	NVD	id:	CVE-2019-17515	date:	2024-11-21T04:32:25.520

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-149769	date:	2019-11-13T00:00:00
db:	JVNDB	id:	JVNDB-2019-012015	date:	2019-11-22T00:00:00
db:	CNNVD	id:	CNNVD-201911-764	date:	2019-11-13T00:00:00
db:	NVD	id:	CVE-2019-17515	date:	2019-11-13T21:15:12.010