CVE-2012-3414: XSS
First published: Fri Jul 19 2013(Updated: )
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Swfupload Project Swfupload | <=2.2.0.1 | |
| Swfupload Project Swfupload | =1.0.2 | |
| Swfupload Project Swfupload | =2.0.2 | |
| Swfupload Project Swfupload | =2.1.0 | |
| Swfupload Project Swfupload | =2.2.0 | |
| TinyMCE | =1.1 | |
| WordPress | <=3.3.1 | |
| WordPress | ||
| WordPress | =3.0 | |
| WordPress | =3.0.1 | |
| WordPress | =3.0.2 | |
| WordPress | =3.0.3 | |
| WordPress | =3.0.4 | |
| WordPress | =3.0.5 | |
| WordPress | =3.0.6 | |
| WordPress | =3.1 | |
| WordPress | =3.1.1 | |
| WordPress | =3.1.2 | |
| WordPress | =3.1.3 | |
| WordPress | =3.1.4 | |
| WordPress | =3.2 | |
| WordPress | =3.2.1 | |
| WordPress | =3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html
- http://code.google.com/p/swfupload/issues/detail?id=376
- http://make.wordpress.org/core/2013/06/21/secure-swfupload/
- http://packetstormsecurity.com/files/122399/TinyMCE-Image-Manager-1.1-Cross-Site-Scripting.html
- http://www.openwall.com/lists/oss-security/2012/07/16/4
- http://www.openwall.com/lists/oss-security/2012/07/17/12
- http://www.securityfocus.com/bid/54245
- https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
Frequently Asked Questions
What is the severity of CVE-2012-3414?
CVE-2012-3414 has a medium severity rating due to its potential for XSS attacks.
How do I fix CVE-2012-3414?
To fix CVE-2012-3414, you should upgrade to a version of SWFUpload later than 2.2.0.1 and ensure that your applications are patched against XSS vulnerabilities.
Which software is affected by CVE-2012-3414?
CVE-2012-3414 affects SWFUpload versions 2.2.0.1 and earlier, TinyMCE Image Manager 1.1, and various versions of WordPress before 3.3.2.
What kind of attack can be executed via CVE-2012-3414?
CVE-2012-3414 allows remote attackers to perform cross-site scripting (XSS) attacks by injecting arbitrary web scripts or HTML.
Which parameter is exploited in CVE-2012-3414?
The vulnerability is exploited via the movieName parameter in the swfupload.swf file.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/swfupload project
- canonical/swfupload project swfupload
- version/swfupload project swfupload/2.2.0.1
- version/swfupload project swfupload/1.0.2
- version/swfupload project swfupload/2.0.2
- version/swfupload project swfupload/2.1.0
- version/swfupload project swfupload/2.2.0
- vendor/tinymce
- canonical/tinymce
- version/tinymce/1.1
- vendor/wordpress
- canonical/wordpress
- version/wordpress/3.3.1
- version/wordpress/3.0
- version/wordpress/3.0.1
- version/wordpress/3.0.2
- version/wordpress/3.0.3
- version/wordpress/3.0.4
- version/wordpress/3.0.5
- version/wordpress/3.0.6
- version/wordpress/3.1
- version/wordpress/3.1.1
- version/wordpress/3.1.2
- version/wordpress/3.1.3
- version/wordpress/3.1.4
- version/wordpress/3.2
- version/wordpress/3.2.1
- version/wordpress/3.3