CVE-2022-2080

CVE-2022-2080: Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR

Vendor Unknown
Product Sensei LMS – Online Courses, Quizzes, & Learning
Weakness CWE-639 · IDOR
Published August 29, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student

Key dates

02Disclosure timeline

August 29, 2022 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE