CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-4549 – WooCommerce SagePay Direct Payment Gateway < 0.1.6.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4549
Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplete.php in the WooCommerce SagePay Direct Payment Gateway plugin before 0.1.6.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MD or (2) PARes parameter. Múltiples vulnerabilidades de XSS en pages/3DComplete.php en el plugin WooCommerce SagePay Direct Payment Gateway anterior a 0.1.6.7 para WordPress permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) MD o (2) PARes. • http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog http://www.securityfocus.com/bid/65355 https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 1CVE-2012-5792
https://notcve.org/view.php?id=CVE-2012-5792
The Sage Pay Direct module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. El módulo Sage Pay Direct en osCommerce no comprueba si el nombre del servidor coincide con un nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido de su elección. • http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/79979 • CWE-20: Improper Input Validation •