CVE-2018-1002006 - Vulnerability Details

Vendors	Products
Kibokolabs	Arigato Autoresponder And Newsletter

Link	Providers
http://www.vapidlabs.com/advisory.php?v=203
https://wordpress.org/plugins/bft-autoresponder/
https://www.exploit-db.com/exploits/45434/

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Arigato Autoresponder and Newsletter", "vendor": "Kiboko Labs https://calendarscripts.info/", "versions": [{"lessThanOrEqual": "2.5.1.8", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "dateAssigned": "2018-08-22T00:00:00", "datePublic": "2018-12-03T00:00:00", "descriptions": [{"lang": "en", "value": "These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes"}], "problemTypes": [{"descriptions": [{"description": "Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5.1.8", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-04T10:57:01", "orgId": "461b2335-328f-427d-ae3d-eff7d6814455", "shortName": "larry_cashdollar"}, "references": [{"name": "45434", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/45434/"}, {"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/bft-autoresponder/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.vapidlabs.com/advisory.php?v=203"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "larry0@me.com", "DATE_ASSIGNED": "2018-08-22", "ID": "CVE-2018-1002006", "REQUESTER": "kurt@seifried.org", "STATE": "PUBLIC", "UPDATED": "2017-08-10T14:41Z"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Arigato Autoresponder and Newsletter", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.5.1.8"}]}}]}, "vendor_name": "Kiboko Labs https://calendarscripts.info/"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5.1.8"}]}]}, "references": {"reference_data": [{"name": "45434", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/45434/"}, {"name": "https://wordpress.org/plugins/bft-autoresponder/", "refsource": "MISC", "url": "https://wordpress.org/plugins/bft-autoresponder/"}, {"name": "http://www.vapidlabs.com/advisory.php?v=203", "refsource": "MISC", "url": "http://www.vapidlabs.com/advisory.php?v=203"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:47:57.494Z"}, "title": "CVE Program Container", "references": [{"name": "45434", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/45434/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wordpress.org/plugins/bft-autoresponder/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.vapidlabs.com/advisory.php?v=203"}]}]}, "cveMetadata": {"assignerOrgId": "461b2335-328f-427d-ae3d-eff7d6814455", "assignerShortName": "larry_cashdollar", "cveId": "CVE-2018-1002006", "datePublished": "2018-12-03T16:00:00", "dateReserved": "2018-12-03T00:00:00", "dateUpdated": "2024-08-05T12:47:57.494Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Arigato Autoresponder and Newsletter (string)

vendor : Kiboko Labs https://calendarscripts.info/ (string)

versions : [ »

0 : { »

lessThanOrEqual : 2.5.1.8 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

]

}

]

dateAssigned : 2018-08-22T00:00:00 (string)

datePublic : 2018-12-03T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5.1.8 (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2018-12-04T10:57:01 (string)

orgId : 461b2335-328f-427d-ae3d-eff7d6814455 (string)

shortName : larry_cashdollar (string)

}

references : [ »

0 : { »

name : 45434 (string)

tags : [ »

0 : exploit (string)

1 : x_refsource_EXPLOIT-DB (string)

]

url : https://www.exploit-db.com/exploits/45434/ (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://wordpress.org/plugins/bft-autoresponder/ (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://www.vapidlabs.com/advisory.php?v=203 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : larry0@me.com (string)

DATE_ASSIGNED : 2018-08-22 (string)

ID : CVE-2018-1002006 (string)

REQUESTER : kurt@seifried.org (string)

STATE : PUBLIC (string)

UPDATED : 2017-08-10T14:41Z (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Arigato Autoresponder and Newsletter (string)

version : { »

version_data : [ »

0 : { »

version_affected : <= (string)

version_value : 2.5.1.8 (string)

}

]

}

]

}

vendor_name : Kiboko Labs https://calendarscripts.info/ (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5.1.8 (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : 45434 (string)

refsource : EXPLOIT-DB (string)

url : https://www.exploit-db.com/exploits/45434/ (string)

}

1 : { »

name : https://wordpress.org/plugins/bft-autoresponder/ (string)

refsource : MISC (string)

url : https://wordpress.org/plugins/bft-autoresponder/ (string)

}

2 : { »

name : http://www.vapidlabs.com/advisory.php?v=203 (string)

refsource : MISC (string)

url : http://www.vapidlabs.com/advisory.php?v=203 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T12:47:57.494Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : 45434 (string)

tags : [ »

0 : exploit (string)

1 : x_refsource_EXPLOIT-DB (string)

2 : x_transferred (string)

]

url : https://www.exploit-db.com/exploits/45434/ (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://wordpress.org/plugins/bft-autoresponder/ (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://www.vapidlabs.com/advisory.php?v=203 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 461b2335-328f-427d-ae3d-eff7d6814455 (string)

assignerShortName : larry_cashdollar (string)

cveId : CVE-2018-1002006 (string)

datePublished : 2018-12-03T16:00:00 (string)

dateReserved : 2018-12-03T00:00:00 (string)

dateUpdated : 2024-08-05T12:47:57.494Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kibokolabs:arigato_autoresponder_and_newsletter:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "74D4FE9E-CB0A-436C-B274-6F0AA6649CF5", "versionEndExcluding": "2.5.1.5", "versionStartIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes"}, {"lang": "es", "value": "Esta vulnerabilidad requiere privilegios de administrador para que se explote. Existe una vulnerabilidad Cross-Site Scripting (XSS) en integration-contact-form.html.php:14: mediante la variable de petici\u00f3n POST classes."}], "id": "CVE-2018-1002006", "lastModified": "2024-11-21T03:40:37.787", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-03T16:29:00.783", "references": [{"source": "larry0@me.com", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.vapidlabs.com/advisory.php?v=203"}, {"source": "larry0@me.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/bft-autoresponder/"}, {"source": "larry0@me.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45434/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.vapidlabs.com/advisory.php?v=203"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://wordpress.org/plugins/bft-autoresponder/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45434/"}], "sourceIdentifier": "larry0@me.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:kibokolabs:arigato_autoresponder_and_newsletter:*:*:*:*:*:wordpress:*:* (string)

matchCriteriaId : 74D4FE9E-CB0A-436C-B274-6F0AA6649CF5 (string)

versionEndExcluding : 2.5.1.5 (string)

versionStartIncluding : 2.5.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes (string)

}

1 : { »

lang : es (string)

value : Esta vulnerabilidad requiere privilegios de administrador para que se explote. Existe una vulnerabilidad Cross-Site Scripting (XSS) en integration-contact-form.html.php:14: mediante la variable de petición POST classes. (string)

}

]

id : CVE-2018-1002006 (string)

lastModified : 2024-11-21T03:40:37.787 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : LOW (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 3.5 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:S/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 6.8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 4.8 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.0 (string)

}

exploitabilityScore : 1.7 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2018-12-03T16:29:00.783 (string)

references : [ »

0 : { »

source : larry0@me.com (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : http://www.vapidlabs.com/advisory.php?v=203 (string)

}

1 : { »

source : larry0@me.com (string)

tags : [ »

0 : Product (string)

]

url : https://wordpress.org/plugins/bft-autoresponder/ (string)

}

2 : { »

source : larry0@me.com (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

2 : VDB Entry (string)

]

url : https://www.exploit-db.com/exploits/45434/ (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : http://www.vapidlabs.com/advisory.php?v=203 (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Product (string)

]

url : https://wordpress.org/plugins/bft-autoresponder/ (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

2 : VDB Entry (string)

]

url : https://www.exploit-db.com/exploits/45434/ (string)

}

]

sourceIdentifier : larry0@me.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object