Vrm 360 3D Model Viewer <= 1.2.1 – Full Path Disclosure | CVE 2023-5177 | Plugin Vulnerabilities

Description

The plugin exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode.

Proof of Concept

1. Create a page
2. Place the shortcode `[vrm360 canvas_name=s1 model_url=SA_Character.zip aspect_ratio=1.8 initial_offset=0.9]` on the page (`SA_Character.zip` should be a non-existent file)
3. Publish page
4. Visit the page and see the full path disclosure in the browser's console.

Affects Plugins

No known fix

References

CVE

Classification

Type

FPD

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Jonatas Souza Villa Flor

Submitter

Jonatas Souza Villa Flor

Submitter website

https://decriptosec.com/

Submitter twitter

Verified

Yes

WPVDB ID

a67b9c21-a35a-4cdb-9627-a5932334e5f0

Timeline

Publicly Published

2023-09-25 (about 7 months ago)

Added

2023-09-25 (about 7 months ago)

Last Updated

2023-09-25 (about 7 months ago)

Other

Published

Title

Published

2014-08-01

Title

Starbox Voting - ajax.php Full Path Disclosure

Published

2014-08-01

Title

Caulk - path disclosure

Published

2014-08-01

Title

DZS Video Gallery 3.1.3 - Remote File Disclosure

Published

2014-08-01

Title

Q and A - Multiple Scripts Direct Request Path Disclosure

Published

2014-08-01

Title

Sahifa 2.4.0 - Multiple Full Path Disclosure