Vulners
Lucene search
Xorbin Analog Flash Clock 1.0 For WordPress XSS
šļøĀ 30 Jun 2013Ā 00:00:00Reported byĀ Prakhar PrasadTypeĀ 
Ā packetstormšĀ packetstormsecurity.comšĀ 51Ā Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2013-4692 | 30 Jun 201300:00 | ā | circl |
 | CVE-2013-4692 | 27 Dec 201916:03 | ā | cve |
 | CVE-2013-4692 | 27 Dec 201916:03 | ā | cvelist |
 | EUVD-2013-4545 | 7 Oct 202500:30 | ā | euvd |
 | CVE-2013-4692 | 27 Dec 201917:15 | ā | nvd |
| Xorbin Analog Flash Clock 1.0 For Joomla XSS | 30 Jun 201300:00 | ā | packetstorm |
 | WordPress Xorbin Digital Flash Clock Plugin - Cross Site Scripting | 30 Jun 201300:00 | ā | patchstack |
 | Cross site scripting | 27 Dec 201917:15 | ā | prion |
 | CVE-2013-4692 | 22 May 202506:18 | ā | redhatcve |
 | Xorbin Analog Flash Clock 1.0 - Flash-based XSS | 1 Aug 201410:59 | ā | wpvulndb |
10
`====================================================================
Xorbin Analog Flash Clock 1.0 Plugin for Wordpress Flash-based XSS
====================================================================
Description: This plugin displays analog flash clock on your website. It's easy to use and it's highly customizable. You can add analog flash clock to your website as a widget and use as many clocks as you like on one page
Published: 30-06-2013
Version : 1.0
Severity : Low to Moderate
CVSS Score: 5
CVE: 2013-4692
Authors : Prakhar Prasad http://www.prakharprasad.com
Rafay Baloch http://www.rafayhackingarticles.net
Download : http://wordpress.org/plugins/xorbin-analog-flash-clock/
Vendor : XORBin http://www.xorbin.com/
Google Dork: inurl:xorbin-analog-flash-clock
Details:
The vulnerability exists in "xorAnalogClock.swf" file of this plugin, "widgetUrl" and "urlWindow" parameter is taken
from external input and is passed first into URLRequest() and then to navigateToURL() function.
Pseudocode: navigateToURL(new URLRequest(_root.widgetUrl), _root.urlWindow);
Proof-of-Concept:
http://domain.tld/wordpress/wp-content/plugins/xorbin-analog-flash-clock/media/xorAnalogClock.swf#?urlWindow=_self&widgetUrl=javascript:alert(1);
Clicking on clock will execute the Javascript payload.
Solution:
Similar method can be applied as described here - https://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityGetURL
`
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jun 2013 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.03914