Description

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.

Remediation

References

CVE-2013-2205

Related Vulnerabilities

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-14320)

TYPO3 URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2010-3669)

WordPress Plugin WordPress File Upload Arbitrary File Upload (3.8.5)

WordPress Plugin Social Media Share Buttons & Social Sharing Icons Cross-Site Scripting (1.1.1.11)

Django Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2021-31542)

Severity

Medium

Classification

CVE-2013-2205

Tags

Missing Update Known Vulnerabilities