CVE-2012-3414

Exploit

EPSS 6.26%
Veröffentlicht 19.07.2013 14:36:31
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

NextGen Gallery <= 1.9.7 - Cross-Site Scripting

WordPress Core <= 3.3.1 - Cross-Site Scripting

SWFUpload <= 2.2.0.1 - Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.

Mögliche Gegenmaßnahme

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery: Update to version 1.9.8, or a newer patched version

WordPress: Update to version 3.3.2, or a newer patched version

apptha-banner: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

apptha-slider-gallery: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Blaze Slideshow: Update to version 2.6, or a newer patched version

Comment Extra Fields: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

dm-albums: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Album and Image Gallery with Lightbox – Flagallery Photo Portfolio: Update to version 2.12, or a newer patched version

fluid-accessible-pager: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

fluid-accessible-rich-inline-edit: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

fluid-accessible-ui-options: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

fluid-accessible-uploader: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

fresh-page: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

mac-dock-gallery: Update to version 3.0, or a newer patched version

mac-dock-photogallery: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery: Update to version 1.9.7, or a newer patched version

PDF File Browser: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

PICA Photo Gallery: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Power Zoomer: Update to version 2.3, or a newer patched version

slide-show-pro: Update to version 2.4, or a newer patched version

Smart Slideshow: Update to version 2.4, or a newer patched version

Spotlight: Update to version 4.4, or a newer patched version

sprapid: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Ultimate TinyMCE: Update to version 3.6, or a newer patched version

wp-3dbanner-rotator: Update to version 2.2, or a newer patched version

3D Flick Slideshow: Update to version 2.3, or a newer patched version

wp-bliss-gallery: Update to version 2.3, or a newer patched version

wp-carouselslideshow: Update to version 3.11, or a newer patched version

wp-dreamworkgallery: Update to version 2.3, or a newer patched version

wp-ecommerce-cvs-importer: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

wp-extended: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

wp-flipslideshow: Update to version 2.2, or a newer patched version

Homepage SlideShow: Update to version 2.3, or a newer patched version

Image News Slider: Update to version 3.5, or a newer patched version

Levo Slideshow: Update to version 2.3, or a newer patched version

wp-matrix-gallery: Update to version 2.3, or a newer patched version

Powerplay Gallery: Update to version 3.2, or a newer patched version

wp-royal-gallery: Update to version 2.1, or a newer patched version

wp-superb-slideshow: Update to version 2.4, or a newer patched version

wp-vertical-gallery: Update to version 2.3, or a newer patched version

wp-yasslideshow: Update to version 3.4, or a newer patched version

MailPoet Newsletters (Previous): Update to version 2.1.7, or a newer patched version

WordPress: Update to version 3.3.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 14

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Version * - 1.9.7

SystemWordPress Core

≫

Produkt WordPress

Version * - 3.3.1

SystemWordPress Plugin

≫

Produkt apptha-banner

Version *

SystemWordPress Plugin

≫

Produkt apptha-slider-gallery

Version *

SystemWordPress Plugin

≫

Produkt Blaze Slideshow

Version * - 2.4

SystemWordPress Plugin

≫

Produkt Comment Extra Fields

Version * - 1.7

SystemWordPress Plugin

≫

Produkt dm-albums

Version *

SystemWordPress Plugin

≫

Produkt Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Version [*, 2.12)

SystemWordPress Plugin

≫

Produkt fluid-accessible-pager

Version *

SystemWordPress Plugin

≫

Produkt fluid-accessible-rich-inline-edit

Version *

SystemWordPress Plugin

≫

Produkt fluid-accessible-ui-options

Version *

SystemWordPress Plugin

≫

Produkt fluid-accessible-uploader

Version *

SystemWordPress Plugin

≫

Produkt fresh-page

Version *

SystemWordPress Plugin

≫

Produkt mac-dock-gallery

Version [*, 3.0)

SystemWordPress Plugin

≫

Produkt mac-dock-photogallery

Version * - 1.0

SystemWordPress Plugin

≫

Produkt Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Version * - 1.9.6

SystemWordPress Plugin

≫

Produkt PDF File Browser

Version *

SystemWordPress Plugin

≫

Produkt PICA Photo Gallery

Version *

SystemWordPress Plugin

≫

Produkt Power Zoomer

Version * - 2.1

SystemWordPress Plugin

≫

Produkt slide-show-pro

Version * - 2.3

SystemWordPress Plugin

≫

Produkt Smart Slideshow

Version * - 2.3

SystemWordPress Plugin

≫

Produkt Spotlight

Version [*, 4.4)

SystemWordPress Plugin

≫

Produkt sprapid

Version *

SystemWordPress Plugin

≫

Produkt Ultimate TinyMCE

Version * - 3.5

SystemWordPress Plugin

≫

Produkt wp-3dbanner-rotator

Version * - 2.1

SystemWordPress Plugin

≫

Produkt 3D Flick Slideshow

Version * - 2.2

SystemWordPress Plugin

≫

Produkt wp-bliss-gallery

Version [*, 2.3)

SystemWordPress Plugin

≫

Produkt wp-carouselslideshow

Version * - 3.10

SystemWordPress Plugin

≫

Produkt wp-dreamworkgallery

Version * - 2.2

SystemWordPress Plugin

≫

Produkt wp-ecommerce-cvs-importer

Version *

SystemWordPress Plugin

≫

Produkt wp-extended

Version *

SystemWordPress Plugin

≫

Produkt wp-flipslideshow

Version * - 2.1

SystemWordPress Plugin

≫

Produkt Homepage SlideShow

Version * - 2.2

SystemWordPress Plugin

≫

Produkt Image News Slider

Version * - 3.4

SystemWordPress Plugin

≫

Produkt Levo Slideshow

Version * - 2.2

SystemWordPress Plugin

≫

Produkt wp-matrix-gallery

Version * - 2.2

SystemWordPress Plugin

≫

Produkt Powerplay Gallery

Version [*, 3.2)

SystemWordPress Plugin

≫

Produkt wp-royal-gallery

Version * - 2.0

SystemWordPress Plugin

≫

Produkt wp-superb-slideshow

Version * - 2.3

SystemWordPress Plugin

≫

Produkt wp-vertical-gallery

Version * - 2.2

SystemWordPress Plugin

≫

Produkt wp-yasslideshow

Version * - 3.3

SystemWordPress Plugin

≫

Produkt MailPoet Newsletters (Previous)

Version * - 2.1.6

SystemWordPress Core

≫

Produkt WordPress

Version [*, 3.3.2)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Swfupload Project ≫ Swfupload Version <= 2.2.0.1

Swfupload Project ≫ Swfupload Version1.0.2

Swfupload Project ≫ Swfupload Version2.0.2

Swfupload Project ≫ Swfupload Version2.1.0

Swfupload Project ≫ Swfupload Version2.2.0

Tinymce ≫ Image Manager Version1.1

Wordpress ≫ Wordpress Version <= 3.3.1

Wordpress ≫ Wordpress Version-

Wordpress ≫ Wordpress Version3.0

Wordpress ≫ Wordpress Version3.0.1

Wordpress ≫ Wordpress Version3.0.2

Wordpress ≫ Wordpress Version3.0.3

Wordpress ≫ Wordpress Version3.0.4

Wordpress ≫ Wordpress Version3.0.5

Wordpress ≫ Wordpress Version3.0.6

Wordpress ≫ Wordpress Version3.1

Wordpress ≫ Wordpress Version3.1.1

Wordpress ≫ Wordpress Version3.1.2

Wordpress ≫ Wordpress Version3.1.3

Wordpress ≫ Wordpress Version3.1.4

Wordpress ≫ Wordpress Version3.2

Wordpress ≫ Wordpress Version3.2.1

Wordpress ≫ Wordpress Version3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.26%	0.905

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://make.wordpress.org/core/2013/06/21/secure-swfupload/

Vendor Advisory

https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

Exploit

http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html

Exploit

http://code.google.com/p/swfupload/issues/detail?id=376

http://packetstormsecurity.com/files/122399/TinyMCE-Image-Manager-1.1-Cross-Site-Scripting.html

Exploit

http://www.openwall.com/lists/oss-security/2012/07/16/4

http://www.openwall.com/lists/oss-security/2012/07/17/12

http://www.securityfocus.com/bid/54245