CVE-2020-5244 Information

Description

In BuddyPress before 5.1.2 requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://buddypress.org/2020/01/buddypress-5-1-2/ https://github.com/buddypress/BuddyPress/commit/39294680369a0c992290577a9d740f4a2f2c2ca3 https://github.com/buddypress/BuddyPress/security/advisories/GHSA-3j78-7m59-r7gv

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5