CVE-2020-9439 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter in TinCan_Content_List_Table.php, message GET Parameter in licensing.php, tc_filter_group parameter in reporting-admin-menu.php, tc_filter_user parameter in reporting-admin-menu.php, tc_filter_course parameter in reporting-admin-menu.php, tc_filter_lesson parameter in reporting-admin-menu.php, tc_filter_module parameter in reporting-admin-menu.php, tc_filter_action parameter in reporting-admin-menu.php, tc_filter_data_range parameter in reporting-admin-menu.php, or tc_filter_data_range_last parameter in reporting-admin-menu.php.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Uncannyowl	Tin Canny Reporting For Learndash

Configuration 1 [-]

cpe:2.3:a:uncannyowl:tin_canny_reporting_for_learndash:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gist.github.com/michiiii/9501b878e7ba3c9fc2a7407ff8277fa5
https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-12-23T15:47:14

Updated: 2024-08-04T10:26:16.177Z

Reserved: 2020-02-27T00:00:00

Link: CVE-2020-9439

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-23T16:15:13.187

Modified: 2020-12-23T19:24:56.310

Link: CVE-2020-9439

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter in TinCan_Content_List_Table.php, message GET Parameter in licensing.php, tc_filter_group parameter in reporting-admin-menu.php, tc_filter_user parameter in reporting-admin-menu.php, tc_filter_course parameter in reporting-admin-menu.php, tc_filter_lesson parameter in reporting-admin-menu.php, tc_filter_module parameter in reporting-admin-menu.php, tc_filter_action parameter in reporting-admin-menu.php, tc_filter_data_range parameter in reporting-admin-menu.php, or tc_filter_data_range_last parameter in reporting-admin-menu.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-23T15:47:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/michiiii/9501b878e7ba3c9fc2a7407ff8277fa5"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-9439", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter in TinCan_Content_List_Table.php, message GET Parameter in licensing.php, tc_filter_group parameter in reporting-admin-menu.php, tc_filter_user parameter in reporting-admin-menu.php, tc_filter_course parameter in reporting-admin-menu.php, tc_filter_lesson parameter in reporting-admin-menu.php, tc_filter_module parameter in reporting-admin-menu.php, tc_filter_action parameter in reporting-admin-menu.php, tc_filter_data_range parameter in reporting-admin-menu.php, or tc_filter_data_range_last parameter in reporting-admin-menu.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/", "refsource": "MISC", "url": "https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/"}, {"name": "https://gist.github.com/michiiii/9501b878e7ba3c9fc2a7407ff8277fa5", "refsource": "MISC", "url": "https://gist.github.com/michiiii/9501b878e7ba3c9fc2a7407ff8277fa5"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:26:16.177Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gist.github.com/michiiii/9501b878e7ba3c9fc2a7407ff8277fa5"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-9439", "datePublished": "2020-12-23T15:47:14", "dateReserved": "2020-02-27T00:00:00", "dateUpdated": "2024-08-04T10:26:16.177Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uncannyowl:tin_canny_reporting_for_learndash:*:*:*:*:*:*:*:*", "matchCriteriaId": "975F6F68-5277-491F-921B-75235CD31565", "versionEndExcluding": "3.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter in TinCan_Content_List_Table.php, message GET Parameter in licensing.php, tc_filter_group parameter in reporting-admin-menu.php, tc_filter_user parameter in reporting-admin-menu.php, tc_filter_course parameter in reporting-admin-menu.php, tc_filter_lesson parameter in reporting-admin-menu.php, tc_filter_module parameter in reporting-admin-menu.php, tc_filter_action parameter in reporting-admin-menu.php, tc_filter_data_range parameter in reporting-admin-menu.php, or tc_filter_data_range_last parameter in reporting-admin-menu.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en Uncanny Owl Tin Canny LearnDash Reporting versiones anteriores a 3.4.4, permite a atacantes remotos autenticados inyectar un script web o HTML arbitrario por medio del par\u00e1metro GET search_key en el archivo TinCan_Content_List_Table.php, un mensaje del Par\u00e1metro GET en el archivo licensing.php, par\u00e1metro tc_filter_group en el archivo reporting-admin-menu.php, par\u00e1metro tc_filter_user en el archivo reporting-admin-menu.php, par\u00e1metro tc_filter_course en el archivo reporting-admin-menu.php, par\u00e1metro tc_filter_lesson en el archivo reporting-admin-menu.php, par\u00e1metro tc_filter_module en el archivo reporting-admin- menu.php, par\u00e1metro tc_filter_action en el archivo reporting-admin-menu.php, par\u00e1metro tc_filter_data_range en el archivo reporting-admin-menu.php, o par\u00e1metro tc_filter_data_range_last en el archivo reporting-admin-menu.php"}], "id": "CVE-2020-9439", "lastModified": "2020-12-23T19:24:56.310", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-23T16:15:13.187", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/michiiii/9501b878e7ba3c9fc2a7407ff8277fa5"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}