6.1
CVE-2020-28707
- EPSS 0.6%
- Veröffentlicht 19.01.2021 22:15:12
- Zuletzt bearbeitet 21.11.2024 05:23:08
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginStockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object.
Mögliche Gegenmaßnahme
Stockdio Historical Chart: Update to version 2.8.1, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Stockdio Historical Chart
Version
[*, 2.8.1)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Stockdio ≫ Stockdio Historical Chart SwPlatformwordpress Version < 2.8.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.6% | 0.687 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.