CVE-2021-39339 - OpenCVE

The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Telefication	Telefication

Configuration 1 [-]

cpe:2.3:a:telefication:telefication:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2021-09-22T10:38:17.540678Z

Updated: 2024-09-17T01:36:40.622Z

Reserved: 2021-08-20T00:00:00

Link: CVE-2021-39339

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-22T11:15:07.503

Modified: 2021-10-02T02:09:48.157

Link: CVE-2021-39339

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Telefication", "vendor": "Telefication", "versions": [{"lessThanOrEqual": "1.8.0", "status": "affected", "version": "1.8.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Marco Wotschka and Charles Strader Sweethill"}], "datePublic": "2021-09-21T00:00:00", "descriptions": [{"lang": "en", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-22T10:38:17", "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}, {"tags": ["x_refsource_MISC"], "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}], "solutions": [{"lang": "en", "value": "Uninstall plugin."}], "source": {"discovery": "INTERNAL"}, "title": "Telefication <= 1.8.0 Open Proxy and Server-Side Request Forgery", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "Wordfence", "ASSIGNER": "security@wordfence.com", "DATE_PUBLIC": "2021-09-21T15:31:00.000Z", "ID": "CVE-2021-39339", "STATE": "PUBLIC", "TITLE": "Telefication <= 1.8.0 Open Proxy and Server-Side Request Forgery"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Telefication", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.8.0", "version_value": "1.8.0"}]}}]}, "vendor_name": "Telefication"}]}}, "credit": [{"lang": "eng", "value": "Marco Wotschka and Charles Strader Sweethill"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339", "refsource": "MISC", "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}, {"name": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php", "refsource": "MISC", "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}]}, "solution": [{"lang": "en", "value": "Uninstall plugin."}], "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:06:42.215Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}]}]}, "cveMetadata": {"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "assignerShortName": "Wordfence", "cveId": "CVE-2021-39339", "datePublished": "2021-09-22T10:38:17.540678Z", "dateReserved": "2021-08-20T00:00:00", "dateUpdated": "2024-09-17T01:36:40.622Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:telefication:telefication:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "E0A5A5B2-59C9-4A40-804A-5EEE2330D07E", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}, {"lang": "es", "value": "El plugin Telefication de WordPress es vulnerable a un ataque de tipo Open Proxy y Server-Side Request Forgery por medio del archivo ~/bypass.php debido a un valor de petici\u00f3n de URL suministrado por el usuario que es llamado por una petici\u00f3n curl. Esto afecta a las versiones hasta la 1.8.0 inclusive"}], "id": "CVE-2021-39339", "lastModified": "2021-10-02T02:09:48.157", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2021-09-22T11:15:07.503", "references": [{"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Primary"}]}