Vulnerability Description
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | <= 3.3.1 |
References
- http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/swfupload/swf
- http://jvn.jp/en/jp/JVN25280162/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2012-002110
- http://make.wordpress.org/core/2013/06/21/secure-swfupload/
- http://osvdb.org/81459
- http://packetstormsecurity.com/files/120746/SWFUpload-Content-Spoofing-Cross-Sit
- http://packetstormsecurity.com/files/122399/tinymce11-xss.txt
- http://seclists.org/fulldisclosure/2013/Mar/110
- http://secunia.com/advisories/49138
- http://wordpress.org/news/2012/04/wordpress-3-3-2/PatchVendor Advisory
- http://www.debian.org/security/2012/dsa-2470
- http://www.openwall.com/lists/oss-security/2013/07/18/13
- http://www.osvdb.org/91134
- http://www.securityfocus.com/bid/53192
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75210
FAQ
What is CVE-2012-2399?
CVE-2012-2399 is a vulnerability with a CVSS score of 10.0 (HIGH). Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote a...
How severe is CVE-2012-2399?
CVE-2012-2399 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2399?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.