CVE-2012-2399 Information
Share on:Description
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier as used in WordPress before 3.5.2 TinyMCE Image Manager 1.1 and earlier and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter a different vulnerability than CVE-2012-3414.
Reference
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/swfupload/swfupload.swf?rev=20503 http://jvn.jp/en/jp/JVN25280162/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-002110 http://make.wordpress.org/core/2013/06/21/secure-swfupload/ http://osvdb.org/81459 http://packetstormsecurity.com/files/120746/SWFUpload-Content-Spoofing-Cross-Site-Scripting.html http://packetstormsecurity.com/files/122399/tinymce11-xss.txt http://seclists.org/fulldisclosure/2013/Mar/110 http://secunia.com/advisories/49138 http://wordpress.org/news/2012/04/wordpress-3-3-2/ http://www.debian.org/security/2012/dsa-2470 http://www.openwall.com/lists/oss-security/2013/07/18/13 http://www.osvdb.org/91134 http://www.securityfocus.com/bid/53192 https://exchange.xforce.ibmcloud.com/vulnerabilities/75210