Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 16 May 2015 09:14:24 -0400 (EDT)
From: cve-assign@...re.org
To: venkatesh.nitin@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - CSRF and XSS in Encrypted Contact Form Wordpress Plugin v1.0.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I discovered CSRF and XSS vulnerabilities in the Encrypted Contact Form
> Wordpress Plugin v1.0.4 which was responsibly disclosed and patched by the
> vendor in v1.1.

> https://plugins.trac.wordpress.org/changeset/1125443/

> http://seclists.org/fulldisclosure/2015/May/63

> https://wordpress.org/plugins/encrypted-contact-form/changelog/
> 1.1
> 
> Detection of CSRF attacks added

> action="/wp-admin/options-general.php?page=conformconf"
> name="iframe_url" value="[XSS]"

Use CVE-2015-4010 for this CSRF vulnerability (with resultant XSS).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVV0IqAAoJEKllVAevmvmsiDkH/R51FqbfSiQZvFUtywS5Q5d3
jKNkpOyQEkDStzjlN6U9lNTFJRWxE9+GV5FfvMMjOBxlCtZx9QaurnpNUdf5eBYh
iuQrqpgPR6qWhhycEwTv5YyWI2ssDyL9KMne15Kdwv6pifDnNftxceOd5nlsZ+Z4
L77Y3Fz4N9dPb8Gnst7K8AYOwku4an+sLiQyz/2JvUGqFyZyxMMY58ExwaQG2/UL
loFKkn4tFb2t9ABNtQctYjnYJWZ3PVtgEntCNBVNqtXMgY+Rsn32SPh9buXnUoyl
6i8g4s5aKbh5zzIBgQw48FNI/CIcICcp3h+e67yCgt46lWqwrZfTBe6S3UTqs0I=
=ALMA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ