CVE-2012-2399

medium

Description

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/75210

http://www.securityfocus.com/bid/53192

http://www.osvdb.org/91134

http://www.openwall.com/lists/oss-security/2013/07/18/13

http://www.debian.org/security/2012/dsa-2470

http://wordpress.org/news/2012/04/wordpress-3-3-2/

http://secunia.com/advisories/49138

http://seclists.org/fulldisclosure/2013/Mar/110

http://packetstormsecurity.com/files/122399/tinymce11-xss.txt

http://packetstormsecurity.com/files/120746/SWFUpload-Content-Spoofing-Cross-Site-Scripting.html

http://osvdb.org/81459

http://make.wordpress.org/core/2013/06/21/secure-swfupload/

http://jvndb.jvn.jp/jvndb/JVNDB-2012-002110

http://jvn.jp/en/jp/JVN25280162/index.html

http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/swfupload/swfupload.swf?rev=20503

Details

Source: Mitre, NVD

Published: 2012-04-21

Updated: 2017-12-19

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium