Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by classyfrieds_project

    CVE-2021-24253 (GCVE-0-2021-24253)

    Vulnerability from cvelistv5 – Published: 2021-05-05 18:39 – Updated: 2024-08-03 19:28
    VLAI
    Title
    Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE
    Summary
    The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE.
    Severity
    No CVSS data available.
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Classyfrieds Affected: 3.8 , ≤ 3.8 (custom)
    Create a notification for this product.
    Credits
    Jin Huang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:22.247Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Classyfrieds",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThanOrEqual": "3.8",
                  "status": "affected",
                  "version": "3.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Jin Huang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-05T18:39:43.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Classyfrieds \u003c= 3.8 - Authenticated Arbitrary File Upload to RCE",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24253",
              "STATE": "PUBLIC",
              "TITLE": "Classyfrieds \u003c= 3.8 - Authenticated Arbitrary File Upload to RCE"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Classyfrieds",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "3.8",
                                "version_value": "3.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Jin Huang"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079"
                },
                {
                  "name": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md",
                  "refsource": "MISC",
                  "url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24253",
        "datePublished": "2021-05-05T18:39:43.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:22.247Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24253 (GCVE-0-2021-24253)

    Vulnerability from nvd – Published: 2021-05-05 18:39 – Updated: 2024-08-03 19:28
    VLAI
    Title
    Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE
    Summary
    The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE.
    Severity
    No CVSS data available.
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Classyfrieds Affected: 3.8 , ≤ 3.8 (custom)
    Create a notification for this product.
    Credits
    Jin Huang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:22.247Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Classyfrieds",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThanOrEqual": "3.8",
                  "status": "affected",
                  "version": "3.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Jin Huang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-05T18:39:43.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Classyfrieds \u003c= 3.8 - Authenticated Arbitrary File Upload to RCE",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24253",
              "STATE": "PUBLIC",
              "TITLE": "Classyfrieds \u003c= 3.8 - Authenticated Arbitrary File Upload to RCE"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Classyfrieds",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "3.8",
                                "version_value": "3.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Jin Huang"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079"
                },
                {
                  "name": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md",
                  "refsource": "MISC",
                  "url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24253",
        "datePublished": "2021-05-05T18:39:43.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:22.247Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }