漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset
Vulnerability Description
The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
认证机制不恰当
Vulnerability Title
Cozy Vision Technologies SMS Alert 授权问题漏洞
Vulnerability Description
Cozy Vision Technologies Pvt. Ltd SMS Alert Order Notifications是Cozy Vision Technologies Pvt. Ltd公司的一款短信提醒订单通知软件。 Cozy Vision Technologies SMS Alert 3.9.5及之前版本存在授权问题漏洞,该漏洞源于未正确验证用户身份,可能导致未经身份验证的攻击者更改任意用户(包括管理员)的电子邮件地址,并重置其密码,从而获取账户访问权限,造成权限提升。
CVSS Information
N/A
Vulnerability Type
N/A