CVE-2014-5347

Exploit

EPSS 3.15%
Veröffentlicht 19.08.2014 19:55:04
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Disqus Comment System < 2.76 - Cross-Site Request Forgery

Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.

Mögliche Gegenmaßnahme

Disqus Comment System: Update to version 2.76, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 14

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Disqus Comment System

Version [*, 2.76)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Disqus ≫ Disqus Comment System SwPlatformwordpress Version <= 2.75

Disqus ≫ Disqus Comment System Version2.40 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.41 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.42 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.43 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.44 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.45 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.46 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.47 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.48 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.49 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.50 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.51 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.52 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.53 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.54 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.55 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.60 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.61 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.62 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.63 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.64 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.65 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.66 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.67 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.68 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.69 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.70 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.71 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.72 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.73 SwPlatformwordpress

Disqus ≫ Disqus Comment System Version2.74 SwPlatformwordpress

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.15%	0.867

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Site-Scripting.html

http://seclists.org/fulldisclosure/2014/Aug/35

http://www.securityfocus.com/bid/69205

https://wordpress.org/plugins/disqus-comment-system/other_notes

Patch

https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin

Exploit

http://packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html

Exploit

http://www.exploit-db.com/exploits/34336

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/95288