CVE-2017-17780

Clockwork SMS Plugins - Multiple Versions - Cross-Site Scripting

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5.

El componente clockwork-test-message.php en Clockwork SMS tiene una vulnerabilidad Cross-Site Scripting (XSS) a través de un parámetro "to" manipulado en una petición clockwork-test-message en wp-admin/admin.php. Este código de componente se encuentra en los siguientes plugins de WordPress: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2 y WP e-Commerce - Clockwork SMS 2.0.5.

*Credits: Dimopoulos Elias

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-12-18 CVE Published
2017-12-19 CVE Reserved
2023-10-29 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.html	2024-08-05

URL	Date	SRC
https://plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authentication/trunk/templates/clockwork-test-message.php?old=706348&old_path=clockwork-two-factor-authentication%2Ftrunk%2Ftemplates%2Fclockwork-test-message.php	2021-03-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mediaburst Search vendor "Mediaburst"		Booking Calendar Sms Search vendor "Mediaburst" for product "Booking Calendar Sms"				1.0.5 Search vendor "Mediaburst" for product "Booking Calendar Sms" and version "1.0.5"		wordpress		Affected
Mediaburst Search vendor "Mediaburst"		Clockwork Sms Notfications Search vendor "Mediaburst" for product "Clockwork Sms Notfications"				2.0.3 Search vendor "Mediaburst" for product "Clockwork Sms Notfications" and version "2.0.3"		wordpress		Affected
Mediaburst Search vendor "Mediaburst"		Contact Form 7 Sms Search vendor "Mediaburst" for product "Contact Form 7 Sms"				2.3.0 Search vendor "Mediaburst" for product "Contact Form 7 Sms" and version "2.3.0"		wordpress		Affected
Mediaburst Search vendor "Mediaburst"		Fast Secure Contact Form Sms Search vendor "Mediaburst" for product "Fast Secure Contact Form Sms"				2.1.2 Search vendor "Mediaburst" for product "Fast Secure Contact Form Sms" and version "2.1.2"		wordpress		Affected
Mediaburst Search vendor "Mediaburst"		Formidable Search vendor "Mediaburst" for product "Formidable"				1.0.2 Search vendor "Mediaburst" for product "Formidable" and version "1.0.2"		wordpress		Affected
Mediaburst Search vendor "Mediaburst"		Gravity Forms Search vendor "Mediaburst" for product "Gravity Forms"				2.2 Search vendor "Mediaburst" for product "Gravity Forms" and version "2.2"		wordpress		Affected
Mediaburst Search vendor "Mediaburst"		Two-factor Authentication Search vendor "Mediaburst" for product "Two-factor Authentication"				1.0.2 Search vendor "Mediaburst" for product "Two-factor Authentication" and version "1.0.2"		wordpress		Affected
Mediaburst Search vendor "Mediaburst"		Wp E-commerce Search vendor "Mediaburst" for product "Wp E-commerce"				2.0.5 Search vendor "Mediaburst" for product "Wp E-commerce" and version "2.0.5"		wordpress		Affected