PT-2012-4012 · WordPress+2 · Wordpress+2

Szymon Gruszecki

Published

2012-04-21

Updated

2017-12-19

CVE-2012-2399

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SWFupload versions 2.2.0.1 and earlier WordPress versions prior to 3.5.2 TinyMCE Image Manager versions 1.1 and earlier

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter. This enables attackers to execute malicious scripts on the client-side.

Recommendations For SWFupload versions 2.2.0.1 and earlier, avoid using the buttonText parameter in the affected API endpoint until the issue is resolved. For WordPress versions prior to 3.5.2, update to version 3.5.2 or later. For TinyMCE Image Manager versions 1.1 and earlier, update to a version later than 1.1.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2012-2399

DSA-2470-1

Affected Products

Swfupload

Tinymce Image Manager

Wordpress

PT-2012-4012 · WordPress+2 · Wordpress+2

CVE-2012-2399

Related Identifiers

Affected Products

References · 20