Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and previous versions, as used in WordPress prior to 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote malicious users to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
swfupload project swfupload |
||
swfupload project swfupload 1.0.2 |
||
swfupload project swfupload 2.0.2 |
||
swfupload project swfupload 2.1.0 |
||
swfupload project swfupload 2.2.0 |
||
tinymce image manager 1.1 |
||
wordpress wordpress |
||
wordpress wordpress - |
||
wordpress wordpress 3.0 |
||
wordpress wordpress 3.0.1 |
||
wordpress wordpress 3.0.2 |
||
wordpress wordpress 3.0.3 |
||
wordpress wordpress 3.0.4 |
||
wordpress wordpress 3.0.5 |
||
wordpress wordpress 3.0.6 |
||
wordpress wordpress 3.1 |
||
wordpress wordpress 3.1.1 |
||
wordpress wordpress 3.1.2 |
||
wordpress wordpress 3.1.3 |
||
wordpress wordpress 3.1.4 |
||
wordpress wordpress 3.2 |
||
wordpress wordpress 3.2.1 |
||
wordpress wordpress 3.3 |
Unpatched WordPress flaw clears way for inbox takeovers
Yahoo! webmail accounts are being hijacked by hackers exploiting an eight-month-old bug in the web giant's blog, security biz Bitdefender warns. Messages with a short link to an apparently harmless MSNBC web-page are being spread to compromise mailboxes: the link actually points to a completely different website hosting malicious JavaScript code that swipes the victim's browser cookie used to log into Yahoo! mail. Once this cookie is in the hands of miscreants, they can use it to access the vici...