Plateforme
php
Composant
amazing-little-poll
Corrigé dans
1.3.1
1.4.1
CVE-2023-6768 represents a critical authentication bypass vulnerability affecting Amazing Little Poll versions 1.3 and 1.4. This flaw allows unauthorized users to gain access to the administrative panel without providing any credentials, effectively bypassing the intended security measures. The vulnerability is triggered by manipulating the lp_admin.php?adminstep= parameter. A patch is available in version 1.4.1.
The impact of this vulnerability is severe. An attacker can leverage it to completely compromise the poll system's administrative interface. This grants them full control over the poll's configuration, data, and potentially the underlying server if the poll has elevated privileges. Attackers could modify poll questions, results, user accounts, and even inject malicious code. The blast radius extends to all users who interact with the poll, as their data and privacy are at risk. This vulnerability is particularly concerning given the potential for widespread use of the plugin in various online platforms.
CVE-2023-6768 was publicly disclosed on December 20, 2023. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. No public proof-of-concept code has been released, but the vulnerability is relatively straightforward to exploit. It is currently not listed on the CISA KEV catalog.
Websites and applications utilizing the Amazing Little Poll plugin, particularly those running versions 1.3 and 1.4, are at significant risk. Shared hosting environments are especially vulnerable, as they often lack granular control over individual plugin configurations. Sites with weak access controls or outdated security practices are also at increased risk.
• php / web:
curl -I 'http://your-website.com/lp_admin.php?adminstep='If the response code is 200, it indicates the vulnerability may be present. • generic web:
grep -r 'lp_admin.php?adminstep=' /var/log/apache2/access.logLook for requests to lp_admin.php?adminstep= without authentication headers.
• php / web:
find /var/www/html -name 'lp_admin.php' -printVerify the file exists and check its permissions to ensure it is not publicly accessible.
disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 21%)
Vecteur CVSS
The primary mitigation is to immediately upgrade Amazing Little Poll to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the lpadmin.php file using your web server's configuration (e.g., .htaccess for Apache). This can be achieved by denying access to the file for all but authorized users. Monitor access logs for suspicious requests targeting lpadmin.php with unusual parameters. After upgrading, confirm the vulnerability is resolved by attempting to access the admin panel without authentication.
Mettez à jour vers une version corrigée ou désactivez le plugin s'il n'y a pas de version disponible. Restreignez l'accès au fichier lp_admin.php via la configuration du serveur web (par exemple : .htaccess sur Apache) pour éviter l'accès non autorisé.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2023-6768 is a critical vulnerability in Amazing Little Poll versions 1.3 and 1.4 that allows unauthenticated users to access the admin panel by manipulating the lp_admin.php?adminstep= parameter.
You are affected if you are using Amazing Little Poll versions 1.3 or 1.4. Upgrade to version 1.4.1 or later to mitigate the risk.
Upgrade Amazing Little Poll to version 1.4.1 or later. As a temporary workaround, restrict access to lp_admin.php using your web server configuration.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the official Amazing Little Poll website or plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.