Xorbin Digital Flash Clock 1.0 For WordPress XSS

2013.07.01
Credit: Prakhar Prasad
Risk: Low
Local: No
Remote: Yes
CVE: CVE: 2013-4693
CWE: CWE-79
Dork: inurl:xorbin-digital-flash-clock

==================================================================== Xorbin Digital Flash Clock 1.0 Plugin for Wordpress Flash-based XSS ==================================================================== Description: This plugin displays digital flash clock on your website. It's easy to use and it's highly customizable. You can add digital flash clock to your website as a widget and use as many clocks as you like on one page. Published: 30-06-2013 Version : 1.0 Severity : Low to Moderate CVSS Score: 5 CVE: 2013-4693 Authors : Prakhar Prasad http://www.prakharprasad.com Rafay Baloch http://www.rafayhackingarticles.net Download : http://wordpress.org/plugins/xorbin-digital-flash-clock/ Vendor : XORBin http://www.xorbin.com/ Google Dork: inurl:xorbin-digital-flash-clock Details: The vulnerability exists in "xorDigitalClock.swf" file of this plugin, "widgetUrl" parameter is taken from external input and is passed into getURL function. getURL(_root.widgetUrl, "") Proof-of-Concept: http://domain.tld/wordpress/wp-content/plugins/xorbin-digital-flash-clock/media/xorDigitalClock.swf#?widgetUrl=javascript:alert(1); Clicking on the clock will execute Javascript payload. Solution: https://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityGetURL

References:

http://www.prakharprasad.com
https://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityGetURL


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top