CVE-2019-12562
published 2019-09-26CVE-2019-12562: Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin…
PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.17%
92.6th percentile
Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | < 9.4.0 | 9.4.0 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-10ubuntu0.16.04.3 | 1.0.25-10ubuntu0.16.04.3 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-7ubuntu2.2+esm1 | 1.0.25-7ubuntu2.2+esm1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libsndfile vulnerabilities
osv·2021-01-26·CVSS 9.8
CVE-2017-12562 libsndfile vulnerabilities
libsndfile vulnerabilities
It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2017-12562)
It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 ESM. (CVE-2017-14245,
CVE-2017-14246, CVE-2017-14634, CVE-2017-16942, CVE-2017-6892,
CVE-2018-13139, CVE-2018-19432, CVE-2018-19661, CVE-2018-19662,
CVE-2018-19758, CVE-2019-3832)
GHSA
Stored Cross-Site Scripting vulnerability in admin component of DotNetNuke
ghsa·2019-11-18
CVE-2019-12562 [MEDIUM] CWE-79 Stored Cross-Site Scripting vulnerability in admin component of DotNetNuke
Stored Cross-Site Scripting vulnerability in admin component of DotNetNuke
Cross-site scripting (XSS) is possible in DNN (formerly DotNetNuke) before 9.4.0 by remote authenticated users via the Display Name field in the admin notification function.
OSV
Stored Cross-Site Scripting vulnerability in admin component of DotNetNuke
osv·2019-11-18
CVE-2019-12562 [MEDIUM] Stored Cross-Site Scripting vulnerability in admin component of DotNetNuke
Stored Cross-Site Scripting vulnerability in admin component of DotNetNuke
Cross-site scripting (XSS) is possible in DNN (formerly DotNetNuke) before 9.4.0 by remote authenticated users via the Display Name field in the admin notification function.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154673/DotNetNuke-Cross-Site-Scripting.htmlhttps://mayaseven.com/cve-2019-12562-stored-cross-site-scripting-in-dotnetnuke-dnn-version-v9-3-2/http://packetstormsecurity.com/files/154673/DotNetNuke-Cross-Site-Scripting.htmlhttps://mayaseven.com/cve-2019-12562-stored-cross-site-scripting-in-dotnetnuke-dnn-version-v9-3-2/
2019-09-26
Published