Absolute Path Traversal and Server-Side Request Forgery Vulnerability in ICS Calendar
CVE-2023-46784

8.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
17 May 2024

What is CVE-2023-46784?

The ICS Calendar by Room 34 Creative Services, LLC has been identified with vulnerabilities allowing for improper limitation of a pathname to a restricted directory and server-side request forgery. This situation permits attackers to exploit path traversal techniques, gaining unauthorized access to sensitive files stored within the system. Additionally, malicious users could perform server-side request forgery, potentially allowing them to interact with internal services in ways not intended by the developers. Affected versions include all prior to 10.12.0.3, posing significant risk to users if not addressed.

Affected Version(s)

ICS Calendar <= 10.12.0.3

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Daffa (Patchstack Alliance)
.