|
Message-ID: <51DEF470.8070707@redhat.com> Date: Thu, 11 Jul 2013 12:07:44 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, plugins@...dpress.org, moderators@...db.org Subject: Re: CVE request: WordPress plugin category-grid-view-gallery XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/11/2013 12:05 PM, Henri Salo wrote: > On Thu, Jul 11, 2013 at 11:59:13AM -0600, Kurt Seifried wrote: >> On 07/10/2013 08:12 PM, Henri Salo wrote: >>> Can I get 2013 CVE identifier for XSS vulnerability in >>> WordPress plugin category-grid-view-gallery, thanks. >>> >>> Plugin page: >>> http://wordpress.org/plugins/category-grid-view-gallery/ >>> Original advisory: http://seclists.org/bugtraq/2013/Jul/17 >>> Version affected: 2.3.1 (older probably affected too) PoC: >>> https://example.com/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=44%22%3E%3Cimg%20src=%22http://%22%20onerror=alert%28document.cookie%29;%3E >>> >>> >>> Not yet fixed as author did not contact vendor. Top 1277 plugin by >>> popularity. WordPress guys could you coordinate this with >>> plugin developer, thanks? >>> >>> --- Henri Salo >> >> Can you confirm the vulnerability? I don't see any follow up >> emails/etc. Thanks. > > This is the confirmation. I manually tested this in 2.3.1 version. > > --- Henri Salo > Thanks, please use CVE-2013-4117 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR3vRwAAoJEBYNRVNeJnmTTgkP/0uZnljcilLrqihfFslDzDcH 6d/bKs6ilMl7x8NuO+7AnkyH7obmNByokXDmXnIsrDTtKE5sia7G/LxBsgVj6TTm pYRjUBhULdPlVj/69kYedOyDLtPJdoAvZAP5Z1WqE9Oqw7DY+gyZI5BbC2Id5n87 A95VkvdZOM9QveiMpwIniCNCPewL1QXVkRk5wNohZ/zw+WEinWalI7D0gydFQcl2 L7tHUOFi6HfHQNvh60MCW28A76bsqo7fJjJdTk8JKvehSOekoIRfTnBcqv7dDKXV DJ5YVKSzz2m4TFAm/NGQ/B6BJwH5rkiJ2OA4V2dwN1HkmTArfDBqCgjNKOGn203B sslzQ4JBwZypNEUFvwC7EXHehdmISJJS18VK0La+QvLcJZ1t2l/Je9klCwmlX72H 4+dLYLRCyKn4BPRjWX5KUEAyf1M3mR1ENN4xJ6qgnTtJb+kFPbn/BuXZ1U/nVqkL zT7VdYPHlosrWcOi+CIRytsyWUf8+9ba0e7ILs7os2SwivUS+4bpxFCFk+BzoA2v jJifR9SpG+mKaAapP2029j9uEMdN0dA1YwA/Bg2cIDQITC1pepM+TWmZl6naYkdo ZDo7XvcRv8gOPViSx8QHe/vMjhnly3sm0IRzpEpb03gPMrMhlPNO6/jt/jEKX2dF 9fRajh8JjBcSCzRiAU6+ =PXEo -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.