CVE-2024-6332

{"id": "CVE-2024-6332", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2024-09-05T10:15:02.970", "references": [{"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/assets/js/tinymce/amelia-mce.js#L741", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/public/js/tinymce/amelia-mce.js#L741", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version."}, {"lang": "es", "value": "Los complementos Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite para WordPress son vulnerables al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'ameliaButtonCommand' en todas las versiones hasta la Premium 7.7 y la Lite 1.2.3 incluida. Esto permite que atacantes no autenticados accedan a los detalles del calendario de los empleados, incluidos los tokens OAuth de Google Calendar en la versi\u00f3n premium."}], "lastModified": "2024-09-12T12:45:37.917", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tmsproducts:amelia:*:*:*:*:lite:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "660A14FE-663B-45F0-82A4-5F9A1169B5C1", "versionEndIncluding": "1.2.3"}, {"criteria": "cpe:2.3:a:tmsproducts:amelia:*:*:*:*:premium:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "382CBCFD-4A86-42F8-BE43-6C0E165FFB96", "versionEndIncluding": "7.7"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}