Lucene search

[email protected]CVE-2014-5347

HistoryAug 19, 2014 - 7:55 p.m.

CVE-2014-5347

2014-08-1919:55:04

CWE-352

[email protected]

web.nvd.nist.gov

cve-2014-5347

csrf

xss

disqus comment system

wordpress

plugin vulnerabilities

remote attackers

authentication hijacking

cross-site scripting

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

75.2%

JSON

Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.

Affected configurations

NVD

Node

disqusdisqus_comment_systemRange≤2.75wordpress

disqusdisqus_comment_systemMatch2.40wordpress

disqusdisqus_comment_systemMatch2.41wordpress

disqusdisqus_comment_systemMatch2.42wordpress

disqusdisqus_comment_systemMatch2.43wordpress

disqusdisqus_comment_systemMatch2.44wordpress

disqusdisqus_comment_systemMatch2.45wordpress

disqusdisqus_comment_systemMatch2.46wordpress

disqusdisqus_comment_systemMatch2.47wordpress

disqusdisqus_comment_systemMatch2.48wordpress

disqusdisqus_comment_systemMatch2.49wordpress

disqusdisqus_comment_systemMatch2.50wordpress

disqusdisqus_comment_systemMatch2.51wordpress

disqusdisqus_comment_systemMatch2.52wordpress

disqusdisqus_comment_systemMatch2.53wordpress

disqusdisqus_comment_systemMatch2.54wordpress

disqusdisqus_comment_systemMatch2.55wordpress

disqusdisqus_comment_systemMatch2.60wordpress

disqusdisqus_comment_systemMatch2.61wordpress

disqusdisqus_comment_systemMatch2.62wordpress

disqusdisqus_comment_systemMatch2.63wordpress

disqusdisqus_comment_systemMatch2.64wordpress

disqusdisqus_comment_systemMatch2.65wordpress

disqusdisqus_comment_systemMatch2.66wordpress

disqusdisqus_comment_systemMatch2.67wordpress

disqusdisqus_comment_systemMatch2.68wordpress

disqusdisqus_comment_systemMatch2.69wordpress

disqusdisqus_comment_systemMatch2.70wordpress

disqusdisqus_comment_systemMatch2.71wordpress

disqusdisqus_comment_systemMatch2.72wordpress

disqusdisqus_comment_systemMatch2.73wordpress

disqusdisqus_comment_systemMatch2.74wordpress

CPENameOperatorVersion
disqus:disqus_comment_systemdisqus disqus comment systemle2.75
disqus:disqus_comment_systemdisqus disqus comment systemeq2.40
disqus:disqus_comment_systemdisqus disqus comment systemeq2.41
disqus:disqus_comment_systemdisqus disqus comment systemeq2.42
disqus:disqus_comment_systemdisqus disqus comment systemeq2.43
disqus:disqus_comment_systemdisqus disqus comment systemeq2.44
disqus:disqus_comment_systemdisqus disqus comment systemeq2.45
disqus:disqus_comment_systemdisqus disqus comment systemeq2.46
disqus:disqus_comment_systemdisqus disqus comment systemeq2.47
disqus:disqus_comment_systemdisqus disqus comment systemeq2.48

CPE	Name	Operator	Version
disqus:disqus_comment_system	disqus disqus comment system	le	2.75
disqus:disqus_comment_system	disqus disqus comment system	eq	2.40
disqus:disqus_comment_system	disqus disqus comment system	eq	2.41
disqus:disqus_comment_system	disqus disqus comment system	eq	2.42
disqus:disqus_comment_system	disqus disqus comment system	eq	2.43
disqus:disqus_comment_system	disqus disqus comment system	eq	2.44
disqus:disqus_comment_system	disqus disqus comment system	eq	2.45
disqus:disqus_comment_system	disqus disqus comment system	eq	2.46
disqus:disqus_comment_system	disqus disqus comment system	eq	2.47
disqus:disqus_comment_system	disqus disqus comment system	eq	2.48

Rows per page:

1-10 of 321

References

packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Site-Scripting.html

packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2014/Aug/35

www.exploit-db.com/exploits/34336

www.securityfocus.com/bid/69205

exchange.xforce.ibmcloud.com/vulnerabilities/95288

exchange.xforce.ibmcloud.com/vulnerabilities/95289

gist.github.com/nikcub/cb5dc7a5464276c8424a

wordpress.org/plugins/disqus-comment-system/other_notes

www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

75.2%

JSON

Related for CVE-2014-5347

nvd1 prion1 cvelist1 wpvulndb1