CVE-2021-24490

MEDIUM Year: 2021
CVSS v3 Score
6.8
Medium
CVSS v2 Score
6.0
Medium
Weakness Type
CWE-352
View all →

Vulnerability Description

The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS

Related Vulnerabilities

CVE-2017-1000147

MEDIUM
CVSS:6.8(Medium)

Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. T...

CWE-3522017

CVE-2017-17982

MEDIUM
CVSS:6.8(Medium)

PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.

CWE-3522017

CVE-2018-10223

MEDIUM
CVSS:6.8(Medium)

An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html.

CWE-3522018

CVE-2018-10224

MEDIUM
CVSS:6.8(Medium)

An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html.

CWE-3522018

CVE-2018-5073

MEDIUM
CVSS:6.8(Medium)

Online Ticket Booking has CSRF via admin/movieedit.php.

CWE-3522018