CVE-2021-24147 - Vulnerability Details - OpenCVE

Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00266.

Key SSVC decision points have not yet been added.

Vendors	Products
Webnus	Modern Events Calendar Lite

Configuration 1 [-]

cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-11061	Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-03-18T14:57:50

Updated: 2024-08-03T19:21:18.252Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24147

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-18T15:15:15.557

Modified: 2024-11-21T05:52:27.980

Link: CVE-2021-24147

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Modern Events Calendar Lite", "vendor": "Unknown", "versions": [{"lessThan": "5.16.5", "status": "affected", "version": "5.16.5", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)"}], "descriptions": [{"lang": "en", "value": "Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-18T14:57:50", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f"}], "source": {"discovery": "UNKNOWN"}, "title": "Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24147", "STATE": "PUBLIC", "TITLE": "Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Modern Events Calendar Lite", "version": {"version_data": [{"version_affected": "<", "version_name": "5.16.5", "version_value": "5.16.5"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:21:18.252Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24147", "datePublished": "2021-03-18T14:57:50", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:21:18.252Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "BD00028C-3D21-47D5-BC22-73761A049EFB", "versionEndExcluding": "5.16.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event."}, {"lang": "es", "value": "Una entrada no comprobada y una falta de codificaci\u00f3n de salida en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no sanean el campo mic_comment (Notas a tiempo) cuando agrega y edita un evento, permitiendo a usuarios con privilegios tan bajos como el autor para agregar eventos con una carga \u00fatil de tipo Cross-Site Scripting en ellos, que ser\u00e1 activada en el frontend cuando se visualiza el evento"}], "id": "CVE-2021-24147", "lastModified": "2024-11-21T05:52:27.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-18T15:15:15.557", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}