CVE-2019-19133

Exploit

EPSS 0.23%
Veröffentlicht 04.12.2019 19:15:11
Zuletzt bearbeitet 21.11.2024 04:34:14
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

CSS Hero <= 4.0.3 - Reflected Cross-Site Scripting

The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookies or launch other attacks.

Mögliche Gegenmaßnahme

CSS Hero: Update to version 4.07, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt CSS Hero

Version *-4.03

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Csshero ≫ Csshero Version4.0.3 SwPlatformwordpress

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.46

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/155558/WordPress-CSS-Hero-4.0.3-Cross-Site-Scripting.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2019/Dec/6

Third Party Advisory

Exploit

Mailing List

https://wpvulndb.com/vulnerabilities/9966

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/ffb97fa2-456c-4bc4-a09c-54daa17be3e8

Third Party Advisory