CVE-2020-35934
Advanced Access Manager <= 6.6.1 - Authenticated Information Disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not supposed to have (e.g., custom metadata added by a different plugin).
El plugin Advanced Access Manager versiones anteriores a 6.6.2 para WordPress, muestra el objeto de usuario sin filtrar (incluyendo todos los metadatos) al iniciar sesiĆ³n por medio de la API REST (aam/v1/authenticate or aam/v2/authenticate). Este es un problema de seguridad si este objeto almacena informaciĆ³n que se supone que el usuario no debe tener (por ejemplo, metadatos personalizados agregados por un plugin diferente).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-08-20 CVE Published
- 2021-01-01 CVE Reserved
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.wordfence.com/blog/2020/08/high-severity-vulnerability-patched-in-advanced-access-manager | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vasyltech Search vendor "Vasyltech" | Advanced Access Manager Search vendor "Vasyltech" for product "Advanced Access Manager" | < 6.6.2 Search vendor "Vasyltech" for product "Advanced Access Manager" and version " < 6.6.2" | wordpress |
Affected
| ||||||