The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
References
Link | Resource |
---|---|
https://hackerone.com/reports/1590237 | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426 | Exploit Third Party Advisory |
https://hackerone.com/reports/1590237 | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 07:00
Type | Values Removed | Values Added |
---|---|---|
References | () https://hackerone.com/reports/1590237 - Exploit, Third Party Advisory | |
References | () https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426 - Exploit, Third Party Advisory |
27 Jun 2023, 15:47
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-639 |
01 Sep 2022, 06:39
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-08-29 18:15
Updated : 2024-11-21 07:00
NVD link : CVE-2022-2034
Mitre link : CVE-2022-2034
CVE.ORG link : CVE-2022-2034
JSON object : View
Products Affected
automattic
- sensei_lms
CWE
CWE-639
Authorization Bypass Through User-Controlled Key