CVE-2012-3414 Information
Share on:Description
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier as used in WordPress before 3.3.2 TinyMCE Image Manager 1.1 and other products allows remote attackers to inject arbitrary web script or HTML via the movieName parameter related to the \ExternalInterface.call\ function.
Reference
http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html http://code.google.com/p/swfupload/issues/detail?id=376 http://make.wordpress.org/core/2013/06/21/secure-swfupload/ http://packetstormsecurity.com/files/122399/TinyMCE-Image-Manager-1.1-Cross-Site-Scripting.html http://www.openwall.com/lists/oss-security/2012/07/16/4 http://www.openwall.com/lists/oss-security/2012/07/17/12 http://www.securityfocus.com/bid/54245 https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/