Page 39 of 345 results (0.013 seconds)

CVSS: 6.4EPSS: 0%CPEs: 77EXPL: 0

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. La configuración por defecto en SWFUpload en WordPress anterior a v3.5.2 tiene una configuración security.allowDomain no restrictiva, permitiendo a atacantes remotos eludir el "Same Origin Policy" y llevar a cabo ataques cross-site scripting (XSS) a través de un sitio web manipulado. • http://codex.wordpress.org/Version_3.5.2 http://make.wordpress.org/core/2013/06/21/secure-swfupload http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 http://www.securityfocus.com/bid/60759 https://bugzilla.redhat.com/show_bug.cgi?id=976784 • CWE-16: Configuration CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 77EXPL: 0

The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235. La HTTP API en WordPress anteriores a v3.5.2 permite a atacantes remotos enviar peticiones HTTP a los servidores de la intranet a través de vectores no especificados, relacionado con peticiones manipuladas del lado del servidor (Server-Side Request Forgery (SSRF)), es similar a CVE-2013-0235. • http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 https://bugzilla.redhat.com/show_bug.cgi?id=976784 • CWE-264: Permissions, Privileges, and Access Controls CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 1

wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie. wp-includes/class-phpass.php en WordPress v3.5.1, cuando un password protegido existe, permite a atacantes remotos causar una denegación de servicio (consumo de CPU) mediante una valor especialmente diseñado para cierto cookie wp-postpass. • http://archives.neohapsis.com/archives/bugtraq/2013-06/0052.html http://codex.wordpress.org/Version_3.5.2 http://openwall.com/lists/oss-security/2013/06/12/2 http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 https://github.com/wpscanteam/wpscan/issues/219 https://vndh.net/note:wordpress-351-denial-service • CWE-310: Cryptographic Issues CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.4EPSS: 3%CPEs: 76EXPL: 1

The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. La API XMLRPC en WordPress anteriores a v3.5.1 permite a a atacantes remotos a enviar peticiones HTTP a servidores de la intranet, y conducir ataques de escaneo de puertos, especificando una URL origen manipulada en la respuesta a un ping, relacionado con una falsificación de petición del lado del servidor (SSRF). • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23330 http://wordpress.org/news/2013/01/wordpress-3-5-1 http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=904120 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.4EPSS: 0%CPEs: 76EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress anteriores a v3.5.1 permite a atacantes remotos a inyectar comandos web o HTML a través de vectores que implican (1) códigos cortos de la galería o (2) contenido de un post. • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23317 http://core.trac.wordpress.org/changeset/23322 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •