oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request - CSRF and XSS in Encrypted Contact Form Wordpress Plugin v1.0.4

From: cve-assign () mitre org
Date: Sat, 16 May 2015 09:14:24 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I discovered CSRF and XSS vulnerabilities in the Encrypted Contact Form
Wordpress Plugin v1.0.4 which was responsibly disclosed and patched by the
vendor in v1.1.



https://plugins.trac.wordpress.org/changeset/1125443/



http://seclists.org/fulldisclosure/2015/May/63



https://wordpress.org/plugins/encrypted-contact-form/changelog/
1.1

Detection of CSRF attacks added



action="/wp-admin/options-general.php?page=conformconf"
name="iframe_url" value="[XSS]"


Use CVE-2015-4010 for this CSRF vulnerability (with resultant XSS).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVV0IqAAoJEKllVAevmvmsiDkH/R51FqbfSiQZvFUtywS5Q5d3
jKNkpOyQEkDStzjlN6U9lNTFJRWxE9+GV5FfvMMjOBxlCtZx9QaurnpNUdf5eBYh
iuQrqpgPR6qWhhycEwTv5YyWI2ssDyL9KMne15Kdwv6pifDnNftxceOd5nlsZ+Z4
L77Y3Fz4N9dPb8Gnst7K8AYOwku4an+sLiQyz/2JvUGqFyZyxMMY58ExwaQG2/UL
loFKkn4tFb2t9ABNtQctYjnYJWZ3PVtgEntCNBVNqtXMgY+Rsn32SPh9buXnUoyl
6i8g4s5aKbh5zzIBgQw48FNI/CIcICcp3h+e67yCgt46lWqwrZfTBe6S3UTqs0I=
=ALMA
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: