CVE-2014-4513
published 2014-07-01CVE-2014-4513: Multiple cross-site scripting (XSS) vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
4.51%
90.3th percentile
Multiple cross-site scripting (XSS) vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| activehelper | activehelper_livehelp_live_chat | <= 3.1.0 | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
| activehelper | activehelper_livehelp_live_chat | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rc6c-rqx8-wrpc: Multiple cross-site scripting (XSS) vulnerabilities in server/offline
ghsa_unreviewed·2022-05-17
CVE-2014-4513 [MEDIUM] CWE-79 GHSA-rc6c-rqx8-wrpc: Multiple cross-site scripting (XSS) vulnerabilities in server/offline
Multiple cross-site scripting (XSS) vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.
Red Hat
JAAS: LDAPLoginModule allows empty password authentication
vendor_redhat·2015-02-05·CVSS 7.5
CVE-2014-3612 [HIGH] CWE-20 JAAS: LDAPLoginModule allows empty password authentication
JAAS: LDAPLoginModule allows empty password authentication
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.
It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid u
No detection rules found.
Nuclei
ActiveHelper LiveHelp Server 3.1.0 - Cross-Site Scripting
nuclei·CVSS 4.3
CVE-2014-4513 [MEDIUM] ActiveHelper LiveHelp Server 3.1.0 - Cross-Site Scripting
ActiveHelper LiveHelp Server 3.1.0 - Cross-Site Scripting
Multiple cross-site scripting vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.
Template:
id: CVE-2014-4513
info:
name: ActiveHelper LiveHelp Server 3.1.0 - Cross-Site Scripting
author: daffainfo
severity: medium
description: Multiple cross-site scripting vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.
impact: |
Successful exploitation of this vulnerability could allo
Bugzilla
CVE-2014-3612 ActiveMQ JAAS: LDAPLoginModule allows empty password authentication
bugzilla·2014-09-01·CVSS 7.5
CVE-2014-3612 [HIGH] CVE-2014-3612 ActiveMQ JAAS: LDAPLoginModule allows empty password authentication
CVE-2014-3612 ActiveMQ JAAS: LDAPLoginModule allows empty password authentication
IssueDescription:
It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.
Discussion:
Acknowledgements:
Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.
---
This issue has been addressed in the following produ
Bugzilla
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
bugzilla·2014-06-30·CVSS 6.8
CVE-2014-4668 [MEDIUM] CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
Matthew Daley reported the following flaw:
""
Cherokee supports authenticating users via LDAP. It does
not ensure that users provide a non-empty password when doing so. If
the underlying LDAP server allows unauthenticated binds (see RFC 4513,
section 5.1.2: ), an
unauthenticated bind will be performed and not the name/password-based
authenticated bind that Cherokee is expecting. This success of this
bind will cause Cherokee to authenticate the user. This allows an
attacker to authenticate as a user for which they only know the
username and not the password.
Affected versions: current releases (<= 1.2.103)
""
Upstream fix: https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf
2014-07-01
Published