Date: Mon, 13 Apr 2015 20:02:40 +1200 From: Matthew Daley <mattd@...fuzz.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6 On 13 April 2015 at 18:25, <cve-assign@...re.org> wrote: >> I'd like to request a CVE ID for this issue. This is the first such >> request; this message serves as an advisory as well. >> >> Affected software: Floating Social Bar (Wordpress plugin) >> Affected versions: 1.0.1 - 1.1.6 >> Website: https://wordpress.org/plugins/floating-social-bar/ >> >> Description: One of the plugin's unauthenticated AJAX action handlers >> is vulnerable to a stored cross-site scripting vulnerability. By >> invoking the action with certain parameters, it is possible for >> unauthenticated attackers to force the persistent injection of >> arbitrary script across the site's post pages. >> >> Fixed version: 1.1.7 >> Fix: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk >> Changelog: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk#file5 > > Use CVE-2015-3299 for the specific issue in your "Description" section > above. It seems conceivable that 1129648 also fixed something else, > e.g., > > 1. Maybe the > "- add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );" > > code change means that wp_ajax_nopriv_fsb_save_order allowed > bypassing intended access control, even if the attacker did not > supply an XSS payload. Yes. It wasn't intended for non-administrators to be able to adjust the services by executing the action. > > 2. Maybe the patched code can help to prevent a CSRF attack against > an authenticated action handler. Again, yes. Administrators could be forced to execute the action with an attacker's parameters via a CSRF attack. Nonces have been added to stop this. > > If so, then additional CVE IDs would be needed.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ