Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for zoho_crm_lead_magnet by zohocorp

    CVE-2022-41978 (GCVE-0-2022-41978)

    Vulnerability from nvd – Published: 2022-11-09 15:46 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Zoho CRM Lead Magnet plugin <= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability
    Summary
    Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-264 - Permissions, Privileges, and Access Controls
    Assigner
    Impacted products
    Vendor Product Version
    Zoho CRM Zoho CRM Lead Magnet (WordPress plugin) Affected: <= 1.7.5.8 , ≤ 1.7.5.8 (custom)
    Create a notification for this product.
    Date Public
    2022-10-27 00:00
    Credits
    Vulnerability discovered by ptsfence (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:56:39.117Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41978",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:17:15.416393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T19:54:36.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Zoho CRM Lead Magnet (WordPress plugin)",
              "vendor": "Zoho CRM",
              "versions": [
                {
                  "lessThanOrEqual": "1.7.5.8",
                  "status": "affected",
                  "version": "\u003c= 1.7.5.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by ptsfence (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 on WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-264",
                  "description": "CWE-264 Permissions, Privileges, and Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:50.203Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
            },
            {
              "url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-41978",
        "datePublished": "2022-11-09T15:46:23.306Z",
        "dateReserved": "2022-10-19T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:50.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-33849 (GCVE-0-2021-33849)

    Vulnerability from nvd – Published: 2021-10-05 21:43 – Updated: 2024-08-04 00:05
    VLAI
    Summary
    A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.
    Severity
    No CVSS data available.
    CWE
    • Improper Neutralization of Input During Web Page Generation
    Assigner
    CSW
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:05:51.043Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Zoho CRM Lead Magnet",
              "vendor": "Zoho",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.7.2.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Neutralization of Input During Web Page Generation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-05T21:43:47.000Z",
            "orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
            "shortName": "CSW"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclose@cybersecurityworks.com",
              "ID": "CVE-2021-33849",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Zoho CRM Lead Magnet",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.7.2.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Zoho"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Neutralization of Input During Web Page Generation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html",
                  "refsource": "MISC",
                  "url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
                },
                {
                  "name": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html",
                  "refsource": "MISC",
                  "url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
        "assignerShortName": "CSW",
        "cveId": "CVE-2021-33849",
        "datePublished": "2021-10-05T21:43:47.000Z",
        "dateReserved": "2021-06-04T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:05:51.043Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-41978 (GCVE-0-2022-41978)

    Vulnerability from cvelistv5 – Published: 2022-11-09 15:46 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress Zoho CRM Lead Magnet plugin <= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability
    Summary
    Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-264 - Permissions, Privileges, and Access Controls
    Assigner
    Impacted products
    Vendor Product Version
    Zoho CRM Zoho CRM Lead Magnet (WordPress plugin) Affected: <= 1.7.5.8 , ≤ 1.7.5.8 (custom)
    Create a notification for this product.
    Date Public
    2022-10-27 00:00
    Credits
    Vulnerability discovered by ptsfence (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:56:39.117Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41978",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-20T19:17:15.416393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-20T19:54:36.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Zoho CRM Lead Magnet (WordPress plugin)",
              "vendor": "Zoho CRM",
              "versions": [
                {
                  "lessThanOrEqual": "1.7.5.8",
                  "status": "affected",
                  "version": "\u003c= 1.7.5.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Vulnerability discovered by ptsfence (Patchstack Alliance)"
            }
          ],
          "datePublic": "2022-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 on WordPress."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-264",
                  "description": "CWE-264 Permissions, Privileges, and Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:50.203Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "url": "https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve"
            },
            {
              "url": "https://wordpress.org/plugins/zoho-crm-forms/#developers"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Zoho CRM Lead Magnet plugin \u003c= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-41978",
        "datePublished": "2022-11-09T15:46:23.306Z",
        "dateReserved": "2022-10-19T00:00:00.000Z",
        "dateUpdated": "2026-04-28T16:07:50.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-33849 (GCVE-0-2021-33849)

    Vulnerability from cvelistv5 – Published: 2021-10-05 21:43 – Updated: 2024-08-04 00:05
    VLAI
    Summary
    A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.
    Severity
    No CVSS data available.
    CWE
    • Improper Neutralization of Input During Web Page Generation
    Assigner
    CSW
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:05:51.043Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Zoho CRM Lead Magnet",
              "vendor": "Zoho",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.7.2.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Neutralization of Input During Web Page Generation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-05T21:43:47.000Z",
            "orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
            "shortName": "CSW"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclose@cybersecurityworks.com",
              "ID": "CVE-2021-33849",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Zoho CRM Lead Magnet",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.7.2.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Zoho"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The attack targets your application\u0027s users and not the application itself while using your application as the attack\u0027s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Neutralization of Input During Web Page Generation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html",
                  "refsource": "MISC",
                  "url": "https://cybersecurityworks.com/zerodays/cve-2020-29322-telnet-hardcoded-credentials.html"
                },
                {
                  "name": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html",
                  "refsource": "MISC",
                  "url": "https://cybersecurityworks.com/zerodays/cve-2021-33849-stored-cross-site-scripting-xss-in-wordpress-plugin-zoho-crm-lead-magnet-version-1-7-2-4.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
        "assignerShortName": "CSW",
        "cveId": "CVE-2021-33849",
        "datePublished": "2021-10-05T21:43:47.000Z",
        "dateReserved": "2021-06-04T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:05:51.043Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }