CVE-2012-2399 — Cross-site Scripting in Wordpress

9 documents6 sources

Severity

10.0CRITICALNVD

EPSS

4.3%

top 11.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedApr 21

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 3.3.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.3.2+dfsg-1+3

▶NVDwordpress/wordpress3.3.1+77

Patches

Patch: wordpress.org ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-m6ch-qxrg-ggw6: Cross-site scripting (XSS) vulnerability in swfupload↗2022-05-17

▶

OSV

CVE-2012-2399: Cross-site scripting (XSS) vulnerability in swfupload↗2012-04-21

▶

📋Vendor Advisories

Debian

CVE-2012-2399: wordpress - Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 a...↗2012

▶

📄Research Papers

CTF

headquarters / Exposure-L11C10↗2024

▶

💬Community

Bugzilla

hacks.mozilla.org - SWFUpload Vulnerable Version↗2012-05-02

▶

Bugzilla

[XSS] air.mozilla.org - SWFUpload Vulnerable Version↗2012-05-02

▶

Bugzilla

CVE-2012-2399 CVE-2012-2400 CVE-2012-2402 CVE-2012-2403 CVE-2012-2404 wordpress various flaws [epel-5]↗2012-04-23

▶

Bugzilla

CVE-2012-2399 wordpress (X < 3.3.2): Unspecified vulnerability in SWFUpload↗2012-04-23

▶