Full Disclosure mailing list archives
Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 02 Mar 2013 19:45:35 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/02/2013 10:17 AM, Henri Salo wrote:
On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:I'm resending my letter from February 23, 2013 (since FD was not working that day). After my previous list of vulnerable software with ZeroClipboard.swf, here is a list of software with ZeroClipboard10.swf. These are Cross-Site Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS. Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications. Among them are em-shorty, RepRapCalculator, Fulcrum (CMS), Django and aCMS. And there are many other vulnerable web applications with ZeroClipboard10.swf (some of them also contain ZeroClipboard.swf).So did you report this vulnerability to those projects? Even to security@ or similar address? I noticed this vulnerability from WordPress plugins. Did you report those? Did you ask CVE identifiers?
Please use CVE-2013-1808 for this issue. Added the author to the CC so he's aware of it. Also thanks to Henri Salo who has taken on coordinating this issue (it appears to affect quite a few things).
-- Henri Salo
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRMrlPAAoJEBYNRVNeJnmTdIcP/jCg7dnLg39HSNiFCpSUtp4m I5kvJqyCcIEfVH7E6buHjN81tD8j4HTQBm89lxwD5E+Ukk0vwLrJ8hekEn10hY6A Mhr1oaxM6RlRLYEkNLt9njnd1iyLW5Vt47SCuqv5p0EmFZ7Uy/2fdZMziIAUEuIM kh2Si3097ntuZL+HagF6SQziiVIBIpLVI5qwCi4aULix949rVIHUhOFgP1AMTMKp b64nSCGkxxd/hZ1j8qOTt/zSdkMwmRyIteP5UcJ2C8opRPU8TKR780kq7PyAPZhi ZYPUhztgEnTKVbvtv8eZ5aS4IjVGZGNC4yF5+GOtCMs6OCToMW7WZ5STbCK1uR1n 1ArPFBYg4kK+ul33NYlUOJcdXbGoQE/ImIjh+jmzI4NjREwGGbBawICl3Q1GFvLd +tBrKY8C4q9LDQzIR0ctkywkLi/6t95ds5iRzZhBL2V+4EjjmWDoo8Zyx+gQuQ4A BTWsV5IdT9DIarIw7lW09DU2pGjkFm/y8mNBde2a5ZnSqZIsTBwCu2M2NhyfQ8vi MQI4M/aGB8pG/DeGmaYNmQkYk4a/Hb8tyApSWLsVmrDQgpEpQ9Y9rrbuM+K6GspA 1MC2/bCZGYf3GM0EApGJY64UCE9s0qzGs0Sy3g5cUNFUsoDRrKPdxnkiA8rk1yY9 eMC+bdCYgeHd/CZwsMYp =oHXG -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS MustLive (Mar 01)
- Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS Henri Salo (Mar 02)
- Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf Kurt Seifried (Mar 02)
- Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS Henri Salo (Mar 02)