CVE-2022-2717
CVSS V2 None
CVSS V3 Medium 4.9
Description
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-events-form page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Overview
- CVE ID
- CVE-2022-2717
- Assigner
- security@wordfence.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-09-06T18:15:14
- Last Modified Date
- 2022-09-13T15:28:44
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:* | 1 | OR | 5.2.5 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- HIGH
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 4.9
- Base Severity
- MEDIUM
- Exploitability Score
- 1.2
- Impact Score
- 3.6
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-2717 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2717 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-09-06 19:00:12 | Added to TrackCVE |