严重 WordPress WooCommerce Gift Cards Premium < 3.3.1 文件上传漏洞(CVE-2021-3120)

CVE编号

CVE-2021-3120

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2021-02-22
漏洞描述
YITH WooCommerce Gift Cards Premium是YITH公司旗下的一款礼品卡插件产品,该插件允许将礼品卡添加到网站(由WordPress WooCommerce插件提供支持)。

近日,阿里云监测到YITH官方披露了旗下产品YITH WooCommerce Gift Cards Premium存在远程命令执行漏洞,攻击者可以利用该漏洞将恶意文件上传到服务器,从而在服务器操作系统中实现远程代码执行。
解决建议
已修复版本:YITH WooCommerce Gift Cards Premium >= 3.3.1
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 WordPress WooCommerce * Up to
(excluding)
3.3.1
运行在以下环境
系统 centos_8 dotnet-templates-3.1 * Up to
(excluding)
3.1.15-1.el8_4
运行在以下环境
系统 fedora_32 dotnet * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-apphost-pack-5.0-5.0.6-1.fc34.aarch64.rpm ( * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-apphost-pack-5.0-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-host-5.0.6-1.fc34.a * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-host-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-host-debuginfo-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-hostfxr-5.0-debuginfo-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-runtime-5.0-debuginfo-5.0.6-1.fc34.aarch64.rpm ( * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-sdk-5.0-debuginfo * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-targeting-pack-5.0-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet-templates-5.0 * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet5.0 * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet5.0-debuginfo * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 dotnet5.0-debugsource * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_32 netstandard-targeting-pack-2.1 * Up to
(excluding)
5.0.203-1.fc32
运行在以下环境
系统 fedora_33 dotnet * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-apphost-pack-5.0-5.0.6-1.fc34.aarch64.rpm ( * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-apphost-pack-5.0-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-host-5.0.6-1.fc34.a * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-host-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-host-debuginfo-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-hostfxr-5.0-debuginfo-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-runtime-5.0-debuginfo-5.0.6-1.fc34.aarch64.rpm ( * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-sdk-5.0-debuginfo * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-targeting-pack-5.0-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet-templates-5.0 * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet5.0 * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet5.0-debuginfo * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 dotnet5.0-debugsource * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_33 netstandard-targeting-pack-2.1 * Up to
(excluding)
3.1.115-1.fc33
运行在以下环境
系统 fedora_34 dotnet * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-apphost-pack-5.0-5.0.6-1.fc34.aarch64.rpm ( * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-apphost-pack-5.0-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-host-5.0.6-1.fc34.a * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-host-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-host-debuginfo-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-hostfxr-5.0-debuginfo-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-runtime-5.0-debuginfo-5.0.6-1.fc34.aarch64.rpm ( * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-sdk-5.0-debuginfo * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-targeting-pack-5.0-5.0.6-1.fc34.x86_64.rpm ( * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet-templates-5.0 * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet5.0 * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet5.0-debuginfo * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 dotnet5.0-debugsource * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 fedora_34 netstandard-targeting-pack-2.1 * Up to
(excluding)
5.0.203-1.fc34
运行在以下环境
系统 oracle_8 dotnet-templates-3.1 * Up to
(excluding)
3.1.115-1.0.1.el8_4
运行在以下环境
系统 redhat_8 dotnet-templates-3.1 * Up to
(excluding)
3.1.15-1.el8_4
阿里云评分
9.3
  • 攻击路径
    远程
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    全局影响
  • EXP成熟度
    POC 已公开
  • 补丁情况
    官方补丁
  • 数据保密性
    数据泄露
  • 数据完整性
    传输被破坏
  • 服务器危害
    服务器失陷
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-434 危险类型文件的不加限制上传
阿里云安全产品覆盖情况