Vulnerabilites related to BearDev - JoomSport
CVE-2019-14348 (GCVE-0-2019-14348)
Vulnerability from cvelistv5
Published
2019-08-05 15:00
Modified
2024-08-05 00:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/ | x_refsource_MISC | |
| https://wpvulndb.com/vulnerabilities/9499 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:12:43.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9499"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-07T22:06:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9499"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14348",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/",
"refsource": "MISC",
"url": "https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/"
},
{
"name": "https://wpvulndb.com/vulnerabilities/9499",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9499"
},
{
"name": "http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14348",
"datePublished": "2019-08-05T15:00:09",
"dateReserved": "2019-07-28T00:00:00",
"dateUpdated": "2024-08-05T00:12:43.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4050 (GCVE-0-2022-4050)
Vulnerability from cvelistv5
Published
2022-12-19 13:41
Modified
2025-04-17 13:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f | exploit, vdb-entry, technical-description |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4050",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T13:40:32.987341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T13:40:47.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "JoomSport",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cydave"
}
],
"descriptions": [
{
"lang": "en",
"value": "The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-19T13:41:51.720Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "JoomSport \u003c 5.2.8 - Unauthenticated SQLi",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4050",
"datePublished": "2022-12-19T13:41:51.720Z",
"dateReserved": "2022-11-17T12:57:54.773Z",
"dateUpdated": "2025-04-17T13:40:47.282Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2717 (GCVE-0-2022-2717)
Vulnerability from cvelistv5
Published
2022-09-06 17:18
Modified
2024-08-03 00:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-events-form page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beardev | JoomSport – for Sports: Team & League, Football, Hockey & more |
Version: * ≤ 5.2.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b6cf4ab-9e4d-4fd7-9e9e-c678ccc4d810?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-events.php?rev=2679820#L28"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2717"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more",
"vendor": "beardev",
"versions": [
{
"lessThanOrEqual": "5.2.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "salim al-wahaibi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more plugin for WordPress is vulnerable to SQL Injection via the \u0027orderby\u0027 parameter on the joomsport-events-form page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T08:32:48.426Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b6cf4ab-9e4d-4fd7-9e9e-c678ccc4d810?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-events.php?rev=2679820#L28"
},
{
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2717"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2022-08-08T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2022-08-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-2717",
"datePublished": "2022-09-06T17:18:59",
"dateReserved": "2022-08-08T00:00:00",
"dateUpdated": "2024-08-03T00:46:03.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2718 (GCVE-0-2022-2718)
Vulnerability from cvelistv5
Published
2022-09-06 17:19
Modified
2024-08-03 00:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beardev | JoomSport – for Sports: Team & League, Football, Hockey & more |
Version: * ≤ 5.2.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.788Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9eee9bec-609a-468b-8b44-ac4af409df93?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-extrafields.php?rev=2540219#L26"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2718"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more",
"vendor": "beardev",
"versions": [
{
"lessThanOrEqual": "5.2.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "salim al-wahaibi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more plugin for WordPress is vulnerable to SQL Injection via the \u0027orderby\u0027 parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T08:32:49.202Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9eee9bec-609a-468b-8b44-ac4af409df93?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-extrafields.php?rev=2540219#L26"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2718"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-08-08T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2022-08-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-2718",
"datePublished": "2022-09-06T17:19:00",
"dateReserved": "2022-08-08T00:00:00",
"dateUpdated": "2024-08-03T00:46:03.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24384 (GCVE-0-2021-24384)
Vulnerability from cvelistv5
Published
2021-07-06 11:03
Modified
2024-08-03 19:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | JoomSport – for Sports: Team & League, Football, Hockey & more |
Version: 5.1.8 < 5.1.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.1.8",
"status": "affected",
"version": "5.1.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bugbang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-06T11:03:27",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JoomSport \u003c 5.1.8 - Unauthenticated PHP Object Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24384",
"STATE": "PUBLIC",
"TITLE": "JoomSport \u003c 5.1.8 - Unauthenticated PHP Object Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.1.8",
"version_value": "5.1.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bugbang"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24384",
"datePublished": "2021-07-06T11:03:27",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44031 (GCVE-0-2024-44031)
Vulnerability from cvelistv5
Published
2024-11-01 14:17
Modified
2024-11-04 18:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.6.3.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T18:34:11.694161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T18:34:42.724Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "joomsport-sports-league-results-management",
"product": "JoomSport",
"vendor": "BearDev",
"versions": [
{
"changes": [
{
"at": "5.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects JoomSport: from n/a through 5.6.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.6.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:17:08.101Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/joomsport-sports-league-results-management/wordpress-joomsport-plugin-5-6-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 5.6.4 or a higher version."
}
],
"value": "Update to 5.6.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress JoomSport plugin \u003c= 5.6.3 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-44031",
"datePublished": "2024-11-01T14:17:08.101Z",
"dateReserved": "2024-08-18T21:58:17.519Z",
"dateUpdated": "2024-11-04T18:34:42.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43355 (GCVE-0-2024-43355)
Vulnerability from cvelistv5
Published
2024-11-01 14:17
Modified
2024-11-04 18:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.3.0.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T18:00:22.452729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T18:00:33.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "joomsport-sports-league-results-management",
"product": "JoomSport",
"vendor": "BearDev",
"versions": [
{
"changes": [
{
"at": "5.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects JoomSport: from n/a through 5.3.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:17:22.439Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/joomsport-sports-league-results-management/wordpress-joomsport-plugin-5-3-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 5.5.7 or a higher version."
}
],
"value": "Update to 5.5.7 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress JoomSport plugin \u003c= 5.3.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43355",
"datePublished": "2024-11-01T14:17:22.439Z",
"dateReserved": "2024-08-09T09:22:23.936Z",
"dateUpdated": "2024-11-04T18:00:33.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-09-06 18:15
Modified
2024-11-21 07:01
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-events-form page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9B31952E-D854-4C99-90C5-7A8E33F6458C",
"versionEndIncluding": "5.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more plugin for WordPress is vulnerable to SQL Injection via the \u0027orderby\u0027 parameter on the joomsport-events-form page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
},
{
"lang": "es",
"value": "JoomSport \u2013 for Sports: Team \u0026amp; League, Football, Hockey \u0026amp; more plugin para WordPress es vulnerable a una inyecci\u00f3n SQL por medio del par\u00e1metro \"orderby\" en la p\u00e1gina joomsport-events-form en versiones hasta 5.2.5 incluy\u00e9ndola, debido a un escape insuficiente en el par\u00e1metro suministrado por el usuario y a una falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible a atacantes autenticados, con privilegios administrativos, a\u00f1adir consultas SQL adicionales a las consultas ya existentes que pueden ser usadas para extraer informaci\u00f3n confidencial de la base de datos.\n"
}
],
"id": "CVE-2022-2717",
"lastModified": "2024-11-21T07:01:34.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-06T18:15:14.687",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-events.php?rev=2679820#L28"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b6cf4ab-9e4d-4fd7-9e9e-c678ccc4d810?source=cve"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-events.php?rev=2679820#L28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b6cf4ab-9e4d-4fd7-9e9e-c678ccc4d810?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2717"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-19 14:15
Modified
2025-04-17 14:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3D525E77-63CD-489B-A10D-AE92276D6268",
"versionEndExcluding": "5.2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users"
},
{
"lang": "es",
"value": "El complemento JoomSport WordPress anterior a 5.2.8 no sanitiza ni escapa adecuadamente un par\u00e1metro antes de usarlo en una declaraci\u00f3n SQL, lo que genera una inyecci\u00f3n de SQL explotable por usuarios no autenticados."
}
],
"id": "CVE-2022-4050",
"lastModified": "2025-04-17T14:15:24.787",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-12-19T14:15:11.847",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2024-11-01 15:15
Modified
2024-11-13 01:24
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.3.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AFB7C068-D4A1-411A-9517-6868B4B2CC6A",
"versionEndExcluding": "5.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.3.0."
},
{
"lang": "es",
"value": " La vulnerabilidad de autorizaci\u00f3n faltante en BearDev JoomSport permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a JoomSport: desde n/a hasta 5.3.0."
}
],
"id": "CVE-2024-43355",
"lastModified": "2024-11-13T01:24:34.157",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-01T15:15:48.240",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/joomsport-sports-league-results-management/wordpress-joomsport-plugin-5-3-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-01 15:15
Modified
2024-11-08 21:26
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.6.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C6806D21-5C2B-4A08-983A-0D4FD054E6B5",
"versionEndExcluding": "5.6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.6.3."
},
{
"lang": "es",
"value": " La vulnerabilidad de autorizaci\u00f3n faltante en BearDev JoomSport permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a JoomSport: desde n/a hasta 5.6.3."
}
],
"id": "CVE-2024-44031",
"lastModified": "2024-11-08T21:26:34.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-01T15:15:52.897",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/joomsport-sports-league-results-management/wordpress-joomsport-plugin-5-6-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-05 15:15
Modified
2024-11-21 04:26
Severity ?
Summary
The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/ | Third Party Advisory | |
| cve@mitre.org | https://wpvulndb.com/vulnerabilities/9499 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpvulndb.com/vulnerabilities/9499 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beardev:joomsport:3.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C7472539-1D86-4A76-82CB-14E6B6E24528",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter."
},
{
"lang": "es",
"value": "El plugin JoomSport de BearDev versi\u00f3n 3.3 para WordPress, permite que la inyecci\u00f3n SQL robe, modifique o elimine informaci\u00f3n de la base de datos por medio del par\u00e1metro sid de joomsport_season/new-yorkers/?Action=playerlist."
}
],
"id": "CVE-2019-14348",
"lastModified": "2024-11-21T04:26:33.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-05T15:15:11.433",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9499"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9499"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-06 11:15
Modified
2024-11-21 05:52
Severity ?
Summary
The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "75A04E08-3A20-4B10-BAB8-53F09A650F52",
"versionEndExcluding": "5.1.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE"
},
{
"lang": "es",
"value": "La acci\u00f3n AJAX joomsport_md_load del plugin JoomSport de WordPress versiones anteriores a 5.1.8, registrada tanto para usuarios no autenticados como para usuarios no autenticados, no serializaba la entrada del usuario desde el par\u00e1metro shattr POST, conllevando a un problema de inyecci\u00f3n de objetos PHP. Aunque el plugin no presenta una cadena de gadgets adecuada para explotar esto, otros plugins instalados podr\u00edan, lo que podr\u00eda conllevar a problemas m\u00e1s graves como RCE"
}
],
"id": "CVE-2021-24384",
"lastModified": "2024-11-21T05:52:57.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-06T11:15:08.777",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-06 18:15
Modified
2024-11-21 07:01
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9B31952E-D854-4C99-90C5-7A8E33F6458C",
"versionEndIncluding": "5.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JoomSport \u2013 for Sports: Team \u0026 League, Football, Hockey \u0026 more plugin for WordPress is vulnerable to SQL Injection via the \u0027orderby\u0027 parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
},
{
"lang": "es",
"value": "JoomSport - para Deportes: Team \u0026amp; League, Football, Hockey \u0026amp; more plugin para WordPress es vulnerable a la inyecci\u00f3n SQL por medio del par\u00e1metro \"orderby\" en la p\u00e1gina joomsport-page-extrafields en versiones hasta 5.2.5 incluy\u00e9ndola, debido a un escape insuficiente en el par\u00e1metro suministrado por el usuario y a una falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible a atacantes autenticados, con privilegios administrativos, a\u00f1adan consultas SQL adicionales a las consultas ya existentes que pueden ser usadas para extraer informaci\u00f3n confidencial de la base de datos."
}
],
"id": "CVE-2022-2718",
"lastModified": "2024-11-21T07:01:34.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-06T18:15:14.747",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-extrafields.php?rev=2540219#L26"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9eee9bec-609a-468b-8b44-ac4af409df93?source=cve"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2718"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-extrafields.php?rev=2540219#L26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2767877%40joomsport-sports-league-results-management\u0026new=2767877%40joomsport-sports-league-results-management\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9eee9bec-609a-468b-8b44-ac4af409df93?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2718"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}