Posts Tagged ‘XSS attacks’

Wordpress VulnerabilitiesThe latest vulnerabilities in WordPress plugins

Three Security Bypass vulnerabilities in WordPress plugins: Access Areas, Download Manager, and DukaPress.

1. Security Bypass in WordPress Access Areas Plugin

Danger: Low
Availability of Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5 (more…)

WordPress Plugins

CSRF attack in WordPress

Vulnerability: CSRF attack in WordPress (XSS)

1. CSRF attack in WordPress Facebook Members

Danger level: Low
The presence of fixes: Yes
The number of vulnerabilities: 1

CVE ID: CVE-2013-2703
Vector of operation: Remote
Impact: Cross Site Scripting

Affected products: WordPress Facebook Members Plugin 5.x
Affected versions: WordPress Facebook Members 5.0.4, possibly earlier. (more…)

WordPress PluginsWP-Sentinel – WordPress plugin for protection from dangerous HTTP-requests

Plugin to protect your blog from malicious HTTP-requests, various injections, XSS-attacks, brute force attacks, and flooding. It is to protect WordPress Website from hacking. He checks each HTTP request for a given set of rules to filter malicious requests.

Plugin to protect your blog from malicious HTTP-requests, various injections, XSS-attacks, brute force attacks, and flooding.

WP-Sentinel works as a firewall, analyzing all http-requests coming to the blog, recognizing and blocking dangerous attacks: (more…)

WordPress vulnerabilities

WordPress vulnerabilities

Vulnerability: Security Bypass WordPress MailUp

Danger level: Avarage
Patch: None
Number of vulnerabilities: 1

CVE ID: CVE-2013-0731
Vector of operation: Remote
Impact: Security Bypass

Affected products: WordPress MailUp Plugin 1.x

Affected versions: WordPress MailUp 1.3.2, perhaps the only one. (more…)

Wordpress VulnerabilityVulnerability: Cross-site scripting WordPress Count per Day

Danger level: Low
Patch: None
Number of vulnerabilities: 1

Operation vector: Remote
Impact: Cross Site Scripting

Affected products: WordPress Count per Day Plugin 3.x

Affected versions: WordPress Count per Day 3.2.5, possibly earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to insufficient input validation in the parameter “daytoshow” in script wp-content/wp-admin/index.php (when the parameter “page” is “cpd_metaboxes”). This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. (more…)

Vulnerability

XSS-attacks

Hosters say about a significant increase in the number of XSS-attacks.

According to statistics from hosting company Firehost, the number of XSS-attacks on websites in the last quarter of 2012 soared by 160% from the same period of 2011. According to the company, out of 64 million detected and blocked attacks, some 2.6 million was attributable to attacks such as cross-site scripting. Quarter before it was discovered just over a million XSS-attacks.

Under these types of attacks Firerost understand three basic types of attack: directory traversal, SQL-injection and cross-site request fake (CSRF). The share of these three main types of attacks have 15.16 percent of the attacks, and 12, respectively.

Firehost notes that XSS-attack – is the base type of attacks used by hackers. It works by placing malicious code on insecure pages, and allows users to manipulate the actions of the attacked site. However, despite its base, this type of attack can have a wide range of applications: from deface the site to a phishing attack. (more…)

Wordpress Vulnerability

XSS in WordPress

Vulnerability: CSRF attack in WordPress Knews Multilingual Newsletters

Danger: Low
Patch: Yes
Number of vulnerabilities: 1

Vector operation: Remote
Impact: Cross Site Scripting

Affected products: WordPress Knews Multilingual Newsletters Plugin 1.x

Affected versions: Knews WordPress Multilingual Newsletters 1.2.5, possibly earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to the lack of authentication of HTTP requests when you perform some action. A remote user can perform CSRF attack and change the e-mail address. (more…)

Drupal logo

XSS in Mixpanel

Vulnerability: XSS in Drupal Mixpanel

Danger: Low
Patch: Yes
Number of vulnerabilities: 1

Vector of operation: Remote
Impact: Cross Site Scripting

Affected products: Mixpanel 6.x (module for Drupal)

Affected versions: Drupal Mixpanel version to 6.x-1.1.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to insufficient input validation in the token Mixpanel pridobavlenii tracking Java script. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. (more…)

XSS in WordPress

Vulnerability: XSS in WordPress WP e-Commerce Predicitive Search

Danger: Low
Patch: Yes
Number of vulnerabilities: 1

Vector of operation: Remote
Impact: Cross Site Scripting

Affected products: WordPress WP e-Commerce Predictive Search Plugin 1.x

Affected versions: WordPress WP e-Commerce Predicitive Search 1.1.1, possibly earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to insufficient input validation in the parameter “rs” in the script index.php (when the parameter “page_id” is intellectual search page). This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. (more…)

Vulnerability

Multiple vulnerabilities in Joomla!

Vulnerability: Multiple vulnerabilities in Joomla!

Danger: Low
Patch: Yes
Number of vulnerabilities: 1

CVE ID: CVE-2012-5827
Vector of operation: Remote
Impact: Cross Site Scripting
Security Bypass

Affected products: Joomla! 2.x

Affected versions: Joomla! 2.5.7 possibly earlier.

Description:

The vulnerability allows malicious people to conduct XSS attacks. (more…)