CVE-2024-38761 - Vulnerability Details - OpenCVE

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0072.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Dylanjames	Zephyr Project Manager
Zephyr-one	Zephyr Project Manager

Configuration 1 [-]

cpe:2.3:a:zephyr-one:zephyr_project_manager:*:*:*:*:*:wordpress:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-37606	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99.

Fixes

Solution

Update to 3.3.100 or a higher version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-99-sensitive-data-exposure-via-export-file-vulnerability?_s_id=cve

History

Tue, 11 Feb 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zephyr-one Zephyr-one zephyr Project Manager
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:zephyr-one:zephyr_project_manager::::::wordpress::*
Vendors & Products		Zephyr-one Zephyr-one zephyr Project Manager

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2024-08-01T21:26:53.542Z

Updated: 2024-08-02T14:54:28.511Z

Reserved: 2024-06-19T11:17:27.405Z

Link: CVE-2024-38761

Vulnrichment

Updated: 2024-08-02T14:53:51.746Z

NVD

Status : Analyzed

Published: 2024-08-01T22:15:25.397

Modified: 2025-02-11T19:31:28.193

Link: CVE-2024-38761

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38761", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2024-06-19T11:17:27.405Z", "datePublished": "2024-08-01T21:26:53.542Z", "dateUpdated": "2024-08-02T14:54:28.511Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "zephyr-project-manager", "product": "Zephyr Project Manager", "vendor": "Dylan James", "versions": [{"changes": [{"at": "3.3.100", "status": "unaffected"}], "lessThanOrEqual": "3.3.99", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Joshua Chan (Patchstack Alliance)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.<p>This issue affects Zephyr Project Manager: from n/a through 3.3.99.</p>"}], "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-08-01T21:26:53.542Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-99-sensitive-data-exposure-via-export-file-vulnerability?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 3.3.100 or a higher version."}], "value": "Update to 3.3.100 or a higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Zephyr Project Manager plugin <= 3.3.99 - Sensitive Data Exposure via Export File vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "dylanjames", "product": "zephyr_project_manager", "cpes": ["cpe:2.3:a:dylanjames:zephyr_project_manager:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.99", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T14:52:19.556788Z", "id": "CVE-2024-38761", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T14:54:28.511Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WordPress Zephyr Project Manager plugin <= 3.3.99 - Sensitive Data Exposure via Export File vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Joshua Chan (Patchstack Alliance)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dylan James", "product": "Zephyr Project Manager", "versions": [{"status": "affected", "changes": [{"at": "3.3.100", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "3.3.99"}], "packageName": "zephyr-project-manager", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to 3.3.100 or a higher version.", "supportingMedia": [{"type": "text/html", "value": "Update to 3.3.100 or a higher version.", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-99-sensitive-data-exposure-via-export-file-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.<p>This issue affects Zephyr Project Manager: from n/a through 3.3.99.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-08-01T21:26:53.542Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-02T14:52:19.556788Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dylanjames:zephyr_project_manager:*:*:*:*:*:*:*:*"], "vendor": "dylanjames", "product": "zephyr_project_manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.3.99"}], "defaultStatus": "unknown"}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-08-02T14:53:51.746Z"}}]}, "cveMetadata": {"cveId": "CVE-2024-38761", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:26:53.542Z", "dateReserved": "2024-06-19T11:17:27.405Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2024-08-01T21:26:53.542Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zephyr-one:zephyr_project_manager:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5507AB16-A38D-4E15-9570-551DBC2F850C", "versionEndExcluding": "3.3.100", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99."}, {"lang": "es", "value": " Exposici\u00f3n de informaci\u00f3n confidencial a una vulnerabilidad de actor no autorizado en Dylan James Zephyr Project Manager. Este problema afecta a Zephyr Project Manager: desde n/a hasta 3.3.99."}], "id": "CVE-2024-38761", "lastModified": "2025-02-11T19:31:28.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-01T22:15:25.397", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-99-sensitive-data-exposure-via-export-file-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "audit@patchstack.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}