Search criteria
4 vulnerabilities found for zoho_crm_lead_magnet by zohocorp
CVE-2022-41978 (GCVE-0-2022-41978)
Vulnerability from nvd – Published: 2022-11-09 15:46 – Updated: 2025-02-20 19:54
VLAI?
Title
WordPress Zoho CRM Lead Magnet plugin <= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability
Summary
Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.
Severity ?
8.8 (High)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zoho CRM | Zoho CRM Lead Magnet (WordPress plugin) |
Affected:
<= 1.7.5.8 , ≤ 1.7.5.8
(custom)
|
Credits
Vulnerability discovered by ptsfence (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:17:15.416393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:54:36.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Zoho CRM Lead Magnet (WordPress plugin)",
"vendor": "Zoho CRM",
"versions": [
{
"lessThanOrEqual": "1.7.5.8",
"status": "affected",
"version": "\u003c= 1.7.5.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by ptsfence (Patchstack Alliance)"
}
],
"datePublic": "2022-10-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-09T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-41978",
"datePublished": "2022-11-09T15:46:23.306Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:54:36.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33849 (GCVE-0-2021-33849)
Vulnerability from nvd – Published: 2021-10-05 21:43 – Updated: 2024-08-04 00:05
VLAI?
Summary
A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.
Severity ?
No CVSS data available.
CWE
- Improper Neutralization of Input During Web Page Generation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zoho | Zoho CRM Lead Magnet |
Affected:
1.7.2.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:51.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zoho CRM Lead Magnet",
"vendor": "Zoho",
"versions": [
{
"status": "affected",
"version": "1.7.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-05T21:43:47",
"orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"shortName": "CSW"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclose@cybersecurityworks.com",
"ID": "CVE-2021-33849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zoho CRM Lead Magnet",
"version": {
"version_data": [
{
"version_value": "1.7.2.4"
}
]
}
}
]
},
"vendor_name": "Zoho"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"assignerShortName": "CSW",
"cveId": "CVE-2021-33849",
"datePublished": "2021-10-05T21:43:47",
"dateReserved": "2021-06-04T00:00:00",
"dateUpdated": "2024-08-04T00:05:51.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41978 (GCVE-0-2022-41978)
Vulnerability from cvelistv5 – Published: 2022-11-09 15:46 – Updated: 2025-02-20 19:54
VLAI?
Title
WordPress Zoho CRM Lead Magnet plugin <= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability
Summary
Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.
Severity ?
8.8 (High)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zoho CRM | Zoho CRM Lead Magnet (WordPress plugin) |
Affected:
<= 1.7.5.8 , ≤ 1.7.5.8
(custom)
|
Credits
Vulnerability discovered by ptsfence (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:17:15.416393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:54:36.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Zoho CRM Lead Magnet (WordPress plugin)",
"vendor": "Zoho CRM",
"versions": [
{
"lessThanOrEqual": "1.7.5.8",
"status": "affected",
"version": "\u003c= 1.7.5.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by ptsfence (Patchstack Alliance)"
}
],
"datePublic": "2022-10-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-09T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-41978",
"datePublished": "2022-11-09T15:46:23.306Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:54:36.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33849 (GCVE-0-2021-33849)
Vulnerability from cvelistv5 – Published: 2021-10-05 21:43 – Updated: 2024-08-04 00:05
VLAI?
Summary
A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.
Severity ?
No CVSS data available.
CWE
- Improper Neutralization of Input During Web Page Generation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zoho | Zoho CRM Lead Magnet |
Affected:
1.7.2.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:51.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zoho CRM Lead Magnet",
"vendor": "Zoho",
"versions": [
{
"status": "affected",
"version": "1.7.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-05T21:43:47",
"orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"shortName": "CSW"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclose@cybersecurityworks.com",
"ID": "CVE-2021-33849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zoho CRM Lead Magnet",
"version": {
"version_data": [
{
"version_value": "1.7.2.4"
}
]
}
}
]
},
"vendor_name": "Zoho"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"assignerShortName": "CSW",
"cveId": "CVE-2021-33849",
"datePublished": "2021-10-05T21:43:47",
"dateReserved": "2021-06-04T00:00:00",
"dateUpdated": "2024-08-04T00:05:51.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}