Improper access control in Email Subscribers & Newsletters - CVE-2020-5780
Published: September 11, 2020
Vulnerability identifier: #VU46643
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-5780
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Email Subscribers & Newsletters
Email Subscribers & Newsletters
Software vendor:
icegram
icegram
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the "class-es-newsletters.php" class. A remote attacker can send forged emails to all recipients from the available lists of contacts or subscribers with complete control over the content and subject of the email.
Remediation
Install updates from vendor's website.