NVD Vulnerability Detail

CVE-2020-35650

Summary	Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php.
Publication Date	Dec. 24, 2020, 1:15 a.m.
Registration Date	Jan. 26, 2021, 11:58 a.m.
Last Update	Nov. 21, 2024, 2:27 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:uncannyowl:uncanny_groups_for_learndash::::::::					3.7

Related information, measures and tools

No	URL	タグ
1	https://gist.github.com/michiiii/81d801f563138abe7da61e2d95342202	Third Party Advisory
2	https://gist.github.com/michiiii/81d801f563138abe7da61e2d95342202	Third Party Advisory
3	https://www.uncannyowl.com/knowledge-base/uncanny-learndash-groups-changelog/	Release Notes Vendor Advisory
4	https://www.uncannyowl.com/knowledge-base/uncanny-learndash-groups-changelog/	Release Notes Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Uncanny Groups for LearnDash におけるクロスサイトスクリプティングの脆弱性

Title	Uncanny Groups for LearnDash におけるクロスサイトスクリプティングの脆弱性
Summary	Uncanny Groups for LearnDash には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 6, 2020, midnight
Registration Date	Aug. 30, 2021, 4:08 p.m.
Last Update	Aug. 30, 2021, 4:08 p.m.

Affected System

Uncanny Owl

Uncanny Groups for LearnDash 3.7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-35650	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35650
National Vulnerability Database (NVD)
2	CVE-2020-35650	https://nvd.nist.gov/vuln/detail/CVE-2020-35650

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Changelog
1	Uncanny Groups for LearnDash - Changelog	https://www.uncannyowl.com/knowledge-base/uncanny-learndash-groups-changelog/

Change Log

No	Changed Details	Date of change
1	[2021年08月30日] 掲載	Aug. 30, 2021, 4:08 p.m.