CVE-2022-0919
Vulnerability from cvelistv5
Published
2022-04-11 14:40
Modified
2024-08-02 23:47
Severity ?
Summary
The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.
References
contact@wpscan.comhttps://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4Exploit, Third Party Advisory
Impacted products
Vendor Product Version
Unknown Salon booking system Version: 7.6.3   < 7.6.3
 Create a notification for this product.
   Unknown Salon Booking System Pro Version: 7.6.3   < 7.6.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:47:42.636Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Salon booking system",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "7.6.3",
              "status": "affected",
              "version": "7.6.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Salon Booking System Pro",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "7.6.3",
              "status": "affected",
              "version": "7.6.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Huli from Cymetrics"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other\u0027s booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-11T14:40:56",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Salon booking system \u003c 7.6.3 - Unauthenticated Sensitive Data Disclosure",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-0919",
          "STATE": "PUBLIC",
          "TITLE": "Salon booking system \u003c 7.6.3 - Unauthenticated Sensitive Data Disclosure"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Salon booking system",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "7.6.3",
                            "version_value": "7.6.3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Salon Booking System Pro",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "7.6.3",
                            "version_value": "7.6.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Huli from Cymetrics"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other\u0027s booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it."
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862 Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-0919",
    "datePublished": "2022-04-11T14:40:56",
    "dateReserved": "2022-03-10T00:00:00",
    "dateUpdated": "2024-08-02T23:47:42.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-0919\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-04-11T15:15:08.690\",\"lastModified\":\"2024-11-21T06:39:40.110\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other\u0027s booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.\"},{\"lang\":\"es\",\"value\":\"Los plugins Salon booking system Free y pro de WordPress versiones anteriores a 7.6.3, no presentan la autorizaci\u00f3n apropiada cuando buscan reservas, lo que permite a cualquier usuario no autenticado buscar las reservas de otros, as\u00ed como recuperar informaci\u00f3n confidencial sobre las reservas, como el nombre completo, el correo electr\u00f3nico y el n\u00famero de tel\u00e9fono de la persona que las reserv\u00f3\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:salonbookingsystem:salon_booking_system:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"7.6.3\",\"matchCriteriaId\":\"0AFD6C6A-880C-4655-B82E-30C6FFA6062C\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/e8f32e0b-4a89-460b-bb78-7c83ef5e16b4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.