Description

Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form.

Remediation

References

CVE-2010-4536

Related Vulnerabilities

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-24814)

Craft CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-37247)

GlassFish Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2017-1000028)

MySQL CVE-2015-0382 Vulnerability (CVE-2015-0382)

MySQL CVE-2016-0665 Vulnerability (CVE-2016-0665)

Severity

Medium

Classification

CVE-2010-4536 CWE-707

Tags

Missing Update Known Vulnerabilities