Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Improper Input Validation Vulnerability (CVE-2013-2204)

Description

moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.

Remediation

References

Related Vulnerabilities

WordPress Plugin Vodpod Video Gallery 'gid' Parameter Cross-Site Scripting (3.1.5)

WordPress Plugin Student Result or Employee Database Security Bypass (1.6.3)

WordPress Plugin Swift Landing Page Cross-Site Request Forgery (1.1)

Apache HTTP Server Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Vulnerability (CVE-2020-11993)

Django Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2023-46695)

Severity

Medium

Classification

CVE-2013-2204 CWE-20

Tags

Missing Update Known Vulnerabilities