OSM – OpenStreetMap <= 6.0.2 - Authenticated (Contributor+) SQL Injection
wordt vertaald…Platform
wordpress
Component
osm
Opgelost in
6.0.3
CVE-2024-3604 describes a SQL Injection vulnerability discovered in the OSM – OpenStreetMap WordPress plugin. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject malicious SQL queries. The vulnerability affects versions up to and including 6.0.2. A patch is available, requiring plugin upgrade.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The SQL Injection vulnerability in OSM – OpenStreetMap allows an attacker to manipulate database queries. By injecting arbitrary SQL code through the 'taggedfilter' attribute of the 'osmmap_v3' shortcode, an attacker can potentially extract sensitive data stored within the WordPress database. This could include user credentials, configuration details, or other critical information. Successful exploitation could lead to complete database compromise and potentially full control of the WordPress site. The impact is amplified if the database contains sensitive user data or is connected to other critical systems.
Uitbuitingscontextwordt vertaald…
CVE-2024-3604 was publicly disclosed on 2024-07-09. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability requires authenticated access, limiting the immediate attack surface, but the potential impact warrants immediate attention.
Wie Loopt Risicowordt vertaald…
WordPress websites utilizing the OSM – OpenStreetMap plugin, particularly those with users granted contributor-level access or higher, are at risk. Shared hosting environments where multiple WordPress sites share the same database are also at increased risk, as a compromise of one site could potentially impact others.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r "osm_map_v3 shortcode tagged_filter" /var/www/html/wp-content/plugins/osm-map-v3/• wordpress / composer / npm:
wp plugin list | grep "osm-map-v3"• wordpress / composer / npm:
curl -I <wordpress_site>/wp-content/plugins/osm-map-v3/readme.txt | grep VersionAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.69% (72% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 10KNiche
- Plugin-beoordeling
- 4.6
- Vereist WordPress
- 5.0+
- Compatibel tot
- 6.9.4
- Vereist PHP
- 5.3+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2024-3604 is to immediately upgrade the OSM – OpenStreetMap WordPress plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'taggedfilter' parameter or implementing stricter input validation on the server-side. While a WAF might offer some protection, it's not a substitute for patching the plugin. After upgrading, verify the fix by attempting to inject a simple SQL query through the 'taggedfilter' parameter and confirming that it is properly sanitized.
Hoe te verhelpenwordt vertaald…
Actualice el plugin OSM – OpenStreetMap a la última versión disponible. La versión más reciente contiene la corrección para la vulnerabilidad de inyección SQL. Si no puede actualizar inmediatamente, considere deshabilitar el plugin temporalmente.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2024-3604 — SQL Injection in OSM – OpenStreetMap WordPress Plugin?
CVE-2024-3604 is a critical SQL Injection vulnerability affecting the OSM – OpenStreetMap WordPress plugin versions up to 6.0.2. It allows authenticated attackers to inject SQL code and potentially extract sensitive data.
Am I affected by CVE-2024-3604 in OSM – OpenStreetMap WordPress Plugin?
You are affected if you are using the OSM – OpenStreetMap WordPress plugin version 6.0.2 or earlier. Check your plugin version and upgrade immediately if necessary.
How do I fix CVE-2024-3604 in OSM – OpenStreetMap WordPress Plugin?
The fix is to upgrade the OSM – OpenStreetMap WordPress plugin to a patched version. Consult the plugin developer's website for the latest version and installation instructions.
Is CVE-2024-3604 being actively exploited?
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation. Monitor your systems closely.
Where can I find the official OSM – OpenStreetMap advisory for CVE-2024-3604?
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and updates regarding CVE-2024-3604.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.