Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.
History

Fri, 13 Sep 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpengine
Wpengine advanced Custom Fields
Weaknesses CWE-79
CPEs cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:pro:wordpress:*:*
Vendors & Products Wpengine
Wpengine advanced Custom Fields
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Thu, 05 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 04 Sep 2024 23:15:00 +0000

Type Values Removed Values Added
Description Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2024-09-04T23:07:58.383Z

Updated: 2024-09-05T13:33:49.318Z

Reserved: 2024-08-29T00:56:56.778Z

Link: CVE-2024-45429

cve-icon Vulnrichment

Updated: 2024-09-05T13:33:45.800Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-04T23:15:12.803

Modified: 2024-09-13T20:48:05.387

Link: CVE-2024-45429

cve-icon Redhat

No data.