Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 11 Apr 2015 21:31:54 +1200
From: Matthew Daley <mattd@...fuzz.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1
 - 1.1.6

I'd like to request a CVE ID for this issue. This is the first such
request; this message serves as an advisory as well.

Affected software: Floating Social Bar (Wordpress plugin)
Affected versions: 1.0.1 - 1.1.6
Website: https://wordpress.org/plugins/floating-social-bar/
Reported by: Matthew Daley

Description: One of the plugin's unauthenticated AJAX action handlers
is vulnerable to a stored cross-site scripting vulnerability. By
invoking the action with certain parameters, it is possible for
unauthenticated attackers to force the persistent injection of
arbitrary script across the site's post pages.

Fixed version: 1.1.7
Fix: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk
Changelog: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk#file5

- Matthew Daley

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.