Vulnerability CVE-2013-0237 - CERT Civis.Net

Vulnerability Name:

CVE-2013-0237 (CCN-84294)

Assigned:

2012-12-06

Published:

2013-02-27

Updated:

2013-07-08

Summary:

Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: CONFIRM
Type: UNKNOWN
http://codex.wordpress.org/Version_3.5.1

Source: MITRE
Type: CNA
CVE-2013-0237

Source: CCN
Type: SA53398
WordPress Newsletter Plugin "alert" Cross-Site Scripting Vulnerability

Source: CCN
Type: Newsletter plugin for WordPress Web site
WordPress Newsletter « WordPress Plugins

Source: CONFIRM
Type: Vendor Advisory
http://wordpress.org/news/2013/01/wordpress-3-5-1/

Source: CCN
Type: BID-59856
WordPress Newsletter Plugin 'alert' Parameter Cross Site Scripting Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=904122

Source: CCN
Type: Red Hat Bugzilla Bug 904124
CVE-2013-0235 CVE-2013-0236 CVE-2013-0237 wordpress various flaws

Source: XF
Type: UNKNOWN
newsletter-cve20130237-xss(84294)

Source: CONFIRM
Type: Exploit, Patch
https://github.com/moxiecode/plupload/commit/2d746ee9083c184f1234d8fed311e89bdd1b39e5

Source: CCN
Type: Packet Storm Security [05-14-2013]
Wordpress Newsletter 3.2.6 Cross Site Scripting

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-0237

Vulnerable Configuration:

Configuration 1:

cpe:/a:moxiecode:plupload:1.4.0:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.4.3:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.5.0:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.5.0:beta:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.5.1:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.5.2:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:1.5.3:*:*:*:*:*:*:*

OR cpe:/a:moxiecode:plupload:*:*:*:*:*:*:*:* (Version <= 1.5.4)

OR cpe:/a:wordpress:wordpress:0.71:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.0:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.0.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.1.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.2:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.2.5:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.2.5:a:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.3.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.3.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.5:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.5.1.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.5:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.6:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.7:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.8:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.9:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.10:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.0.11:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.1.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.1.3:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.2:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.2.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.2.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.2.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.3:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.3.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.3.2:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.3.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.5:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.6:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.6.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.6.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.6.5:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.7:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.7.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.4:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.4:a:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.5:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.5.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.5.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.8.6:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.9:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.9.1:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.9.1.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:2.9.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:3.3:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:3.3.2:-:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:3.3.3:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:3.4.0:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:3.4.1:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:3.4.2:*:*:*:*:*:*:*

OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version <= 3.5.0)

Configuration 2:

cpe:/o:fedoraproject:fedora:16:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:17:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:18:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:fp_newsletter_project:fp_newsletter:3.2.6:*:*:*:*:typo3:*:*

AND

cpe:/a:wordpress:wordpress:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20130237000	V	CVE-2013-0237 on Ubuntu 12.04 LTS (precise) - medium.	2013-07-08
oval:com.ubuntu.trusty:def:20130237000	V	CVE-2013-0237 on Ubuntu 14.04 LTS (trusty) - medium.	2013-07-08
oval:com.ubuntu.xenial:def:20130237000	V	CVE-2013-0237 on Ubuntu 16.04 LTS (xenial) - medium.	2013-07-08
oval:com.ubuntu.xenial:def:201302370000000	V	CVE-2013-0237 on Ubuntu 16.04 LTS (xenial) - medium.	2013-07-08