oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 18 Jul 2013 14:25:19 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This was brought to my attention by Jay Turla <shipcodez () gmail com>,
after some searching I found:

http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html

and after testing (it works). So please use:

CVE-2013-4144 swfupload KedAns-Dz object injection
CVE-2013-4145 swfupload KedAns-Dz XSS
CVE-2013-4146 swfupload KedAns-Dz CSRF

Also alerting WordPress. Remember folks, if you spot a security
advisory in the wild without a CVE, tell us so we can tag and release
it and track it more easily! And also get it fixed.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR6E8vAAoJEBYNRVNeJnmTcFcP/331rP9zHHtFlZtodHLOnJrt
PQHM9Y5Bz3pjyClyR/W8nrCN8yxxbRGjFlTZrFcv2GW4rob1cwaFT6aKD3ZArGMV
cVa6h7B1DkApGcCFFrdLWP7bnc96qusylT8t79jLQ0RO0iVLPAz2THXfWpa5qNAt
ypk34nka0sXXNNsXpdDoyiNgVxqrHuiDbBMqQ5BDWqmmyTVtDVlICo9ZOnHxXQGx
FQFxCPXWgI4KkhzOX2VrwIvdw/k9I3xGsuEAV0+TFM1dKeZdLg5/GMIWr9avxL/d
DNyWiYiWYhk5wDupnf9jkAu1LIOEwnr68gn1MiKs28Va4nj7yTcdraacCJrS6JeN
O+Vtg/zpnNDmSK8Uoa1PxBXQf3DLQ+Yyg9HG/PNf1htihp9nSAfW09sfNCkODJ05
2IOWOTc0qmjl9DXArPdhxPC4b6/AJYoOvXTHeb/9H1rlVqHV/NcAlf7mQ+MVd/R4
OKoscdmPO/flfxbWeo4XRj9MHAfjC17kRBXe2o3U7vgc2v77Y64puF2JTHMzRvq+
g6LN4t12l6lih5mBo+o1V8DqCM9Bcp810mcCSVqutHyfSn4LsSCNn9YcZRug9stq
laRaZ7HVSl3JqT+7mEN7KJObbLe7O6+3s+RRpQo1K+7DZ2WBrEN95JEX3ywIIyNj
XPvOw5EpxiBigLoP1US5
=oiie
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: