CVE-2022-1239

HubSpot < 8.8.15 - Contributor+ Blind SSRF

EPSS 1.4%CWE-918

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 May 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks

Affected products

Unknown · HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee