4.3

CVE-2013-1636

Exploit

Pretty Links Lite < 1.6.3 - Stored Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter.
Mögliche Gegenmaßnahme
PrettyLinks – Affiliate Link Management, URL Shortener, Link Cloaking, Tracking & Branded Short Links: Update to version 1.6.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CaseproofPrettylinks Version <= 1.6.2
CaseproofPrettylinks Version1.6.0
CaseproofPrettylinks Version1.6.1
JoobiCom Jnews Version8.0.1
CivicrmCivicrm Version3.1.0
CivicrmCivicrm Version3.1.1
CivicrmCivicrm Version3.1.2
CivicrmCivicrm Version3.1.3
CivicrmCivicrm Version3.1.4
CivicrmCivicrm Version3.1.5
CivicrmCivicrm Version3.1.6
CivicrmCivicrm Version3.2.0
CivicrmCivicrm Version3.2.1
CivicrmCivicrm Version3.2.2
CivicrmCivicrm Version3.2.3
CivicrmCivicrm Version3.2.4
CivicrmCivicrm Version3.2.5
CivicrmCivicrm Version3.3.0
CivicrmCivicrm Version3.3.1
CivicrmCivicrm Version3.3.2
CivicrmCivicrm Version3.3.3
CivicrmCivicrm Version3.3.5
CivicrmCivicrm Version3.3.6
CivicrmCivicrm Version3.4.0
CivicrmCivicrm Version4.0.5
CivicrmCivicrm Version4.1.0
CivicrmCivicrm Version4.1.1
CivicrmCivicrm Version4.1.2
CivicrmCivicrm Version4.1.3
CivicrmCivicrm Version4.1.4
CivicrmCivicrm Version4.1.5
CivicrmCivicrm Version4.1.6
CivicrmCivicrm Version4.2.0
CivicrmCivicrm Version4.2.1
CivicrmCivicrm Version4.2.2
CivicrmCivicrm Version4.2.4
CivicrmCivicrm Version4.2.5
CivicrmCivicrm Version4.2.6
CivicrmCivicrm Version4.2.7
CivicrmCivicrm Version4.2.8
CivicrmCivicrm Version4.2.9
CivicrmCivicrm Version4.3.0
CivicrmCivicrm Version4.3.1
CivicrmCivicrm Version4.3.2
CivicrmCivicrm Version4.3.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt PrettyLinks – Affiliate Link Management, URL Shortener, Link Cloaking, Tracking & Branded Short Links
Version [*, 1.6.3)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.31% 0.927
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://archives.neohapsis.com/archives/bugtraq/2013-02/0101.html
Patch
Exploit
http://osvdb.org/90435
http://packetstormsecurity.com/files/120433/WordPress-Pretty-Link-1.6.3-Cross-Site-Scripting.html
http://packetstormsecurity.com/files/121623/Joomla-Jnews-8.0.1-Cross-Site-Scripting.html
http://wordpress.org/plugins/pretty-link/changelog
https://civicrm.org/advisory/civi-sa-2013-002-openflashchart-xss
Patch
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/82242
https://www.wordfence.com/threat-intel/vulnerabilities/id/e0d6ef49-288b-47d9-bbf2-dc31a6e3621e
Third Party Advisory