CVE-2021-24298 - Vulnerability Details - OpenCVE

The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibenic	Simple Giveaways

Configuration 1 [-]

cpe:2.3:a:ibenic:simple_giveaways:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/
https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-05-24T10:58:04

Updated: 2024-08-03T19:28:23.261Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24298

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-24T11:15:08.143

Modified: 2024-11-21T05:52:47.430

Link: CVE-2021-24298

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Simple Giveaways \u2013 Grow your business, email lists and traffic with contests", "vendor": "Igor Benic", "versions": [{"lessThan": "2.36.2", "status": "affected", "version": "2.36.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Shreya Pohekar of Codevigilant Project"}], "descriptions": [{"lang": "en", "value": "The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-24T10:58:04", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91"}, {"tags": ["x_refsource_MISC"], "url": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/"}], "source": {"discovery": "UNKNOWN"}, "title": "Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24298", "STATE": "PUBLIC", "TITLE": "Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Simple Giveaways \u2013 Grow your business, email lists and traffic with contests", "version": {"version_data": [{"version_affected": "<", "version_name": "2.36.2", "version_value": "2.36.2"}]}}]}, "vendor_name": "Igor Benic"}]}}, "credit": [{"lang": "eng", "value": "Shreya Pohekar of Codevigilant Project"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91"}, {"name": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/", "refsource": "MISC", "url": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:28:23.261Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24298", "datePublished": "2021-05-24T10:58:04", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:28:23.261Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibenic:simple_giveaways:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "9B8B0991-08BA-4B45-B448-D81B88FF7877", "versionEndExcluding": "2.36.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS"}, {"lang": "es", "value": "El m\u00e9todo y los par\u00e1metros de compartir GET de las p\u00e1ginas del Sorteo no se sanearon, validaron o escaparon versiones anteriores a volver a aparecer en las p\u00e1ginas, lo que conllev\u00f3 a un XSS reflejado"}], "id": "CVE-2021-24298", "lastModified": "2024-11-21T05:52:47.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-24T11:15:08.143", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "contact@wpscan.com", "type": "Secondary"}]}