PT-2019-18587 · Mythemeshop · Mythemeshop Launcher

Publicado

2019-05-13

Atualizado

2019-05-14

CVE-2019-7411

CVSS v3.1

5.4

Média

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions MyThemeShop Launcher plugin version 1.0.8

Description The issue concerns multiple stored cross-site scripting (XSS) instances. Remote authenticated users can inject arbitrary web script or HTML via various fields, including:

Title
Favicon
Meta Description
Subscribe Form fields: Name field label, Last name field label, Email field label
Contact Form fields: Name field label and Email field label
Social Links fields: Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL

Recommendations For MyThemeShop Launcher plugin version 1.0.8, consider updating to a newer version that addresses these stored XSS issues. As a temporary workaround, restrict access to the fields mentioned above to minimize the risk of exploitation.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2019-7411

Produtos afetados

Mythemeshop Launcher

PT-2019-18587 · Mythemeshop · Mythemeshop Launcher

CVE-2019-7411

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4