4 results (0.012 seconds)

CVSS: 6.4EPSS: 0%CPEs: 89EXPL: 1

Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados en Plupload.as en Moxiecode Plupload anteriores a v1.5.5, como el usado en WordPress anteriores a v3.5.1 y otros productos, permiten a atacantes remotos inyectar comandos web o HTML a través del parámetro id. • http://codex.wordpress.org/Version_3.5.1 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904122 https://github.com/moxiecode/plupload/commit/2d746ee9083c184f1234d8fed311e89bdd1b39e5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 89EXPL: 0

Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. Plupload antes de v1.5.4, tal y como se utiliza en wp-includes/js/plupload/ en WordPress antes de v3.3.2 y otros productos, permite ejecutar secuencias de comandos, independientemente del dominio desde el que se cargó el contenido SWF, lo que permite a atacantes remotos evitar la política de mismo origen a través de contenido malicioso. • http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487 http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=20487 http://osvdb.org/81461 http://secunia.com/advisories/49138 http://wordpress.org/news/2012/04/wordpress-3-3-2 http://www.debian.org/security/2012/dsa-2470 http://www.plupload.com/punbb/viewtopic.php?id=1685 http://www.securityfocus.com/bid/53192 https://exchange.xforce.ibmcloud.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

Directory traversal vulnerability in tiny_mce_gzip.php in TinyMCE Compressor PHP before 1.06 allows remote attackers to read or include arbitrary files via a trailing null byte (%00) in the (1) theme, (2) language, (3) plugins, or (4) lang parameter. • https://www.exploit-db.com/exploits/4441 http://secunia.com/advisories/18262 http://securityreason.com/securityalert/306 http://securitytracker.com/id?1015424 http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2233 http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2244 http://www.hardened-php.net/advisory_262005.111.html http://www.osvdb.org/22116 http://www.securityfocus.com/archive/1/420543/100/0/threaded http://www.securityfocus.com/bid/16083 https://exchange.xforce. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in tiny_mce_gzip.php in TinyMCE Compressor PHP before 1.06 allows remote attackers to inject arbitrary web script or HTML via the index parameter. • http://secunia.com/advisories/18262 http://securitytracker.com/id?1015424 http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2233 http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2244 http://www.hardened-php.net/advisory_262005.111.html http://www.osvdb.org/22117 http://www.securityfocus.com/archive/1/420543/100/0/threaded http://www.securityfocus.com/bid/16083 https://exchange.xforce.ibmcloud.com/vulnerabilities/23906 •