5

CVE-2012-2401

WordPress Core <= 3.3.1 - Same Origin Policy Bypass

Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
Mögliche Gegenmaßnahme
WordPress: Update to version 3.3.2, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MoxiecodePlupload Version <= 1.5.3
MoxiecodePlupload Version1.4.0
MoxiecodePlupload Version1.4.1
MoxiecodePlupload Version1.4.2
MoxiecodePlupload Version1.4.3
MoxiecodePlupload Version1.5.0
MoxiecodePlupload Version1.5.0 Updatebeta
MoxiecodePlupload Version1.5.1
MoxiecodePlupload Version1.5.2
WordpressWordpress Version <= 3.3.1
WordpressWordpress Version0.71
WordpressWordpress Version1.0
WordpressWordpress Version1.0.1
WordpressWordpress Version1.0.2
WordpressWordpress Version1.1.1
WordpressWordpress Version1.2
WordpressWordpress Version1.2.1
WordpressWordpress Version1.2.2
WordpressWordpress Version1.2.3
WordpressWordpress Version1.2.4
WordpressWordpress Version1.2.5
WordpressWordpress Version1.2.5 Updatea
WordpressWordpress Version1.3
WordpressWordpress Version1.3.2
WordpressWordpress Version1.3.3
WordpressWordpress Version1.5
WordpressWordpress Version1.5.1
WordpressWordpress Version1.5.1.1
WordpressWordpress Version1.5.1.2
WordpressWordpress Version1.5.1.3
WordpressWordpress Version1.5.2
WordpressWordpress Version2.0
WordpressWordpress Version2.0.1
WordpressWordpress Version2.0.2
WordpressWordpress Version2.0.4
WordpressWordpress Version2.0.5
WordpressWordpress Version2.0.6
WordpressWordpress Version2.0.7
WordpressWordpress Version2.0.8
WordpressWordpress Version2.0.9
WordpressWordpress Version2.0.10
WordpressWordpress Version2.0.11
WordpressWordpress Version2.1
WordpressWordpress Version2.1.1
WordpressWordpress Version2.1.2
WordpressWordpress Version2.1.3
WordpressWordpress Version2.2
WordpressWordpress Version2.2.1
WordpressWordpress Version2.2.2
WordpressWordpress Version2.2.3
WordpressWordpress Version2.3
WordpressWordpress Version2.3.1
WordpressWordpress Version2.3.2
WordpressWordpress Version2.3.3
WordpressWordpress Version2.5
WordpressWordpress Version2.5.1
WordpressWordpress Version2.6
WordpressWordpress Version2.6.1
WordpressWordpress Version2.6.2
WordpressWordpress Version2.6.3
WordpressWordpress Version2.6.5
WordpressWordpress Version2.7
WordpressWordpress Version2.7.1
WordpressWordpress Version2.8
WordpressWordpress Version2.8.1
WordpressWordpress Version2.8.2
WordpressWordpress Version2.8.3
WordpressWordpress Version2.8.4
WordpressWordpress Version2.8.4 Updatea
WordpressWordpress Version2.8.5
WordpressWordpress Version2.8.5.1
WordpressWordpress Version2.8.5.2
WordpressWordpress Version2.8.6
WordpressWordpress Version2.9
WordpressWordpress Version2.9.1
WordpressWordpress Version2.9.1.1
WordpressWordpress Version2.9.2
WordpressWordpress Version3.0
WordpressWordpress Version3.0.1
WordpressWordpress Version3.0.2
WordpressWordpress Version3.0.3
WordpressWordpress Version3.0.4
WordpressWordpress Version3.0.5
WordpressWordpress Version3.0.6
WordpressWordpress Version3.1
WordpressWordpress Version3.1.1
WordpressWordpress Version3.1.2
WordpressWordpress Version3.1.3
WordpressWordpress Version3.3
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version [*, 3.3.2)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.32% 0.916
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://secunia.com/advisories/49138
Vendor Advisory
http://www.debian.org/security/2012/dsa-2470
http://wordpress.org/news/2012/04/wordpress-3-3-2/
Patch
Vendor Advisory
http://www.securityfocus.com/bid/53192
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=20487
http://osvdb.org/81461
http://www.plupload.com/punbb/viewtopic.php?id=1685
https://exchange.xforce.ibmcloud.com/vulnerabilities/75208
https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ab4dc20-ce50-4ad0-aff4-9fc529d1911f
Third Party Advisory