CVE-2021-24167 - OpenCVE

When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_load_init" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Web-stat	Web-stat

Configuration 1 [-]

cpe:2.3:a:web-stat:web-stat:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/e7326903-1552-4934-a611-fc0b43236d60

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-04-05T18:27:43

Updated: 2024-08-03T19:21:18.623Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24167

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-05T19:15:15.577

Modified: 2023-11-07T03:31:07.063

Link: CVE-2021-24167

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Web-Stat", "vendor": "Unknown", "versions": [{"lessThan": "1.4.1", "status": "affected", "version": "1.4.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Ramuel Gall"}], "descriptions": [{"lang": "en", "value": "When visiting a site running Web-Stat < 1.4.0, the \"wts_web_stat_load_init\" function used the visitor\u2019s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-05T18:27:43", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/e7326903-1552-4934-a611-fc0b43236d60"}], "source": {"discovery": "UNKNOWN"}, "title": "Web-Stat < 1.4.1 - API Key Disclosure", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24167", "STATE": "PUBLIC", "TITLE": "Web-Stat < 1.4.1 - API Key Disclosure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Web-Stat", "version": {"version_data": [{"version_affected": "<", "version_name": "1.4.1", "version_value": "1.4.1"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Ramuel Gall"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When visiting a site running Web-Stat < 1.4.0, the \"wts_web_stat_load_init\" function used the visitor\u2019s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/e7326903-1552-4934-a611-fc0b43236d60", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/e7326903-1552-4934-a611-fc0b43236d60"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:21:18.623Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wpscan.com/vulnerability/e7326903-1552-4934-a611-fc0b43236d60"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24167", "datePublished": "2021-04-05T18:27:43", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:21:18.623Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:web-stat:web-stat:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1776B8BE-BBA4-45A4-BFBC-0FCB0B44741F", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When visiting a site running Web-Stat < 1.4.0, the \"wts_web_stat_load_init\" function used the visitor\u2019s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account."}, {"lang": "es", "value": "Cuando se visita un sitio que ejecuta Web-Stat versiones anteriores a 1.4.0, la funci\u00f3n \"wts_web_stat_load_init\" us\u00f3 el navegador del visitante para enviar una petici\u00f3n XMLHttpRequest a https://wts2.one/ajax.htm?action=lookup_WP_account"}], "id": "CVE-2021-24167", "lastModified": "2023-11-07T03:31:07.063", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-05T19:15:15.577", "references": [{"source": "contact@wpscan.com", "tags": ["Third Party Advisory"], "url": "https://wpscan.com/vulnerability/e7326903-1552-4934-a611-fc0b43236d60"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "contact@wpscan.com", "type": "Secondary"}]}