CVE-2013-4954
published 2013-07-29CVE-2013-4954: Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New…
PriorityP418low2.6CVSS 2.0
AVNACHAuNCNIPAN
EXPLOIT
EPSS
6.15%
92.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New Registrations to set their own Password" is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) pass1 or (2) pass2 parameter in a register action. NOTE: some of these details are obtained from third party information.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| genetechsolutions | pie-register | <= 1.30 | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| genetechsolutions | pie-register | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jpgx-25w5-rvq8: Multiple cross-site scripting (XSS) vulnerabilities in wp-login
ghsa_unreviewed·2022-05-17
CVE-2013-4954 [LOW] CWE-79 GHSA-jpgx-25w5-rvq8: Multiple cross-site scripting (XSS) vulnerabilities in wp-login
Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New Registrations to set their own Password" is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) pass1 or (2) pass2 parameter in a register action. NOTE: some of these details are obtained from third party information.
Microsoft
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. Th
vendor_msrc·2017-10-10·CVSS 5.9
CVE-2017-15042 [MEDIUM] CWE-319 An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. Th
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits t
Red Hat
golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
vendor_redhat·2017-10-04·CVSS 5.9
CVE-2017-15042 [MEDIUM] CWE-300 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/95160http://plugins.trac.wordpress.org/changeset?reponame=&old=740249%40pie-register&new=740249%40pie-registerhttp://secunia.com/advisories/54123http://wordpress.org/plugins/pie-register/changelog/http://wordpress.org/support/topic/security-issue-web-application-cross-site-scriptinghttp://www.securityfocus.com/bid/61140https://exchange.xforce.ibmcloud.com/vulnerabilities/85604http://osvdb.org/95160http://plugins.trac.wordpress.org/changeset?reponame=&old=740249%40pie-register&new=740249%40pie-registerhttp://secunia.com/advisories/54123http://wordpress.org/plugins/pie-register/changelog/http://wordpress.org/support/topic/security-issue-web-application-cross-site-scriptinghttp://www.securityfocus.com/bid/61140https://exchange.xforce.ibmcloud.com/vulnerabilities/85604
2013-07-29
Published