CVE-2017-2135
published 2017-04-28CVE-2017-2135: Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified…
PriorityP424medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.68%
74.0th percentile
Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp-statistics | wp_statistics | <= 12.0.1 | — |
| wp_statistics | wp_statistics | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Sandbox bypass vulnerability in Script Security Plugin
ghsa·2022-05-24
CVE-2020-2135 [HIGH] CWE-693 Sandbox bypass vulnerability in Script Security Plugin
Sandbox bypass vulnerability in Script Security Plugin
Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:
- Crafted constructor calls and bodies (due to an incomplete fix of [SECURITY-582](https://www.jenkins.io/security/advisory/2017-08-07/#super-constructor-calls))
- Crafted method calls on objects that implement `GroovyInterceptable`
This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.
Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement `GroovyInterceptable` as calls to `Groo
GHSA
GHSA-p367-x79q-2576: Cross-site scripting vulnerability in WP Statistics version 12
ghsa_unreviewed·2022-05-17
CVE-2017-2135 [MEDIUM] CWE-79 GHSA-p367-x79q-2576: Cross-site scripting vulnerability in WP Statistics version 12
Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-04-28
Published