Missing Authorization in Advanced Custom Fields

#VU58479 Missing Authorization in Advanced Custom Fields

Published: 2021-12-02

Vulnerability identifier: #VU58479

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20866

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Advanced Custom Fields
Web applications / Modules and components for CMS

Vendor: Delicious Brains

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to missing authorization related to user list obtaining. A remote authenticated attacker can obtain a list of information that an user do not have the privilege for.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Advanced Custom Fields: 5.8.12 - 5.10.2

External links
http://jvn.jp/en/jp/JVN09136401/index.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Advanced Custom Fields plugin for WordPress