[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost a
From:       dxw Security <security () dxw ! com>
Date:       2015-07-28 11:23:07
Message-ID: 3e30a2526cce08a66e0e4534e115a42a () security ! dxw ! com
[Download RAW message or body]

Details
================
Software: Flickr Justified Gallery
Version: 3.3.6
Homepage: https://wordpress.org/plugins/flickr-justified-gallery/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-flickr-justified-gallery-could-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can-do/
                
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost \
anything an admin can do

Vulnerability
================
This plugin contains a reflected XSS vulnerability which would allow an unauthenticated \
attacker to do almost anything an admin user can do. For this to happen, the administrator \
would have to be tricked into clicking on a link controlled by the attacker. It is easy to make \
these links very convincing.

Proof of concept
================
Visit a page containing the following in Firefox or any other browser with no reflected XSS \
mitigation strategies, and click submit: <form \
action=\"http://localhost/wp-admin/options-general.php?page=fjgwpp.php\" method=\"POST\"> \
<input type=\"text\" name=\"fjgwpp_userID\" value=\":&quot;>&lt;script>alert(1)&lt;/script>\"> \
<input type=\"text\" name=\"Submit\" value=\"Save Changes\"> <input type=\"submit\">
</form>

Mitigations
================
Upgrade to version 3.4.0 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: \
https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third \
party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your \
behalf.

This vulnerability will be published if we do not receive a response to this report with 14 \
days.

Timeline
================

2015-07-21: Discovered
2015-07-22: Reported to vendor via email
2015-07-22: Requested CVE
2015-07-23: Vendor responded confirming fixed in 3.4.0
2015-07-28: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic