Multiple vulnerabilities in Amazing Little Poll

Posted date 13/12/2023
Importance
5 - Critical
Affected Resources
  • Amazing Little poll, 1.3 and 1.4 versions.
Description

INCIBE has coordinated the publication of 2 vulnerabilities affecting Amazing Little Poll, a php script for creating polls, which have been discovered by David Utón Amaya (m3n0sd0n4ld).

These vulnerabilities have been assigned the following base scores CVSS v3.1, CVSS vectors and CWE vulnerability types:

  • CVE-2023-6768: CVSS v3.1: 9.4 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | CWE-287.
  • CVE-2023-6769: CVSS v3.1: 6.5 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CWE-79.
Solution

There is no reported solution at this time.

Detail
  • CVE-2023-6768: authentication bypass vulnerability in Amazing Little Poll affecting versions 1.3 and 1.4. This vulnerability could allow an unauthenticated user to access the admin panel without providing any credentials by simply accessing the "lp_admin.php?adminstep=" parameter.
  • CVE-2023-6769: stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. This vulnerability allows a remote attacker to store a malicious JavaScript payload in the "lp_admin.php" file in the "question" and "item" parameters. This vulnerability could lead to malicious JavaScript execution while the page is loading.
Etiquetas