{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6332", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-06-25T17:38:01.385Z", "datePublished": "2024-09-05T09:29:48.753Z", "dateUpdated": "2024-09-05T19:38:14.016Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-09-05T09:29:48.753Z"}, "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia Premium", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "7.7", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version."}], "title": "Booking for Appointments and Events Calendar \u2013 Amelia Premium <= 7.7 and Lite <= 1.2.3 - Missing Authorization to Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/assets/js/tinymce/amelia-mce.js#L741"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/public/js/tinymce/amelia-mce.js#L741"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nadim Zubidat"}], "timeline": [{"time": "2024-09-04T21:24:51.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T19:38:01.113304Z", "id": "CVE-2024-6332", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:38:14.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6332", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T19:38:01.113304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:38:07.227Z"}}], "cna": {"title": "Booking for Appointments and Events Calendar \u2013 Amelia Premium <= 7.7 and Lite <= 1.2.3 - Missing Authorization to Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Nadim Zubidat"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia Premium", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.7"}], "defaultStatus": "unaffected"}, {"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-09-04T21:24:51.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/assets/js/tinymce/amelia-mce.js#L741"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/public/js/tinymce/amelia-mce.js#L741"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-09-05T09:29:48.753Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6332", "state": "PUBLISHED", "dateUpdated": "2024-09-05T19:38:14.016Z", "dateReserved": "2024-06-25T17:38:01.385Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-09-05T09:29:48.753Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tmsproducts:amelia:*:*:*:*:lite:wordpress:*:*", "matchCriteriaId": "660A14FE-663B-45F0-82A4-5F9A1169B5C1", "versionEndIncluding": "1.2.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:tmsproducts:amelia:*:*:*:*:premium:wordpress:*:*", "matchCriteriaId": "382CBCFD-4A86-42F8-BE43-6C0E165FFB96", "versionEndIncluding": "7.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version."}, {"lang": "es", "value": "Los complementos Booking for Appointments and Events Calendar \u2013 Amelia Premium and Lite para WordPress son vulnerables al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'ameliaButtonCommand' en todas las versiones hasta la Premium 7.7 y la Lite 1.2.3 incluida. Esto permite que atacantes no autenticados accedan a los detalles del calendario de los empleados, incluidos los tokens OAuth de Google Calendar en la versi\u00f3n premium."}], "id": "CVE-2024-6332", "lastModified": "2024-09-12T12:45:37.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2024-09-05T10:15:02.970", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/assets/js/tinymce/amelia-mce.js#L741"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/public/js/tinymce/amelia-mce.js#L741"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}