Lucene search

[email protected]CVE-2013-0234

HistoryFeb 02, 2014 - 8:55 p.m.

CVE-2013-0234

2014-02-0220:55:14

CWE-79

[email protected]

web.nvd.nist.gov

cve-2013-0234

cross-site scripting

xss

elgg

twitter

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.5%

JSON

Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg before 1.7.17 and 1.8.x before 1.8.13 allows remote attackers to inject arbitrary web script or HTML via the params[twitter_username] parameter to action/widgets/save.

Affected configurations

NVD

Node

elggelggMatch1.8.0.1

elggelggMatch1.8.1

elggelggMatch1.8.3

elggelggMatch1.8.4

elggelggMatch1.8.5

elggelggMatch1.8.6

elggelggMatch1.8.7

elggelggMatch1.8.8

elggelggMatch1.8.9

elggelggMatch1.8.10

elggelggMatch1.8.11

elggelggMatch1.8.12

Node

elggelggRange≤1.7.16

elggelggMatch1.7.0

elggelggMatch1.7.1

elggelggMatch1.7.2

elggelggMatch1.7.3

elggelggMatch1.7.4

elggelggMatch1.7.5

elggelggMatch1.7.6

elggelggMatch1.7.7

elggelggMatch1.7.8

elggelggMatch1.7.9

elggelggMatch1.7.10

elggelggMatch1.7.11

elggelggMatch1.7.12

elggelggMatch1.7.13

elggelggMatch1.7.14

elggelggMatch1.7.15

elggelggMatch1.7.18

CPENameOperatorVersion
elgg:elggelggeq1.8.0.1
elgg:elggelggeq1.8.1
elgg:elggelggeq1.8.3
elgg:elggelggeq1.8.4
elgg:elggelggeq1.8.5
elgg:elggelggeq1.8.6
elgg:elggelggeq1.8.7
elgg:elggelggeq1.8.8
elgg:elggelggeq1.8.9
elgg:elggelggeq1.8.10

CPE	Name	Operator	Version
elgg:elgg	elgg	eq	1.8.0.1
elgg:elgg	elgg	eq	1.8.1
elgg:elgg	elgg	eq	1.8.3
elgg:elgg	elgg	eq	1.8.4
elgg:elgg	elgg	eq	1.8.5
elgg:elgg	elgg	eq	1.8.6
elgg:elgg	elgg	eq	1.8.7
elgg:elgg	elgg	eq	1.8.8
elgg:elgg	elgg	eq	1.8.9
elgg:elgg	elgg	eq	1.8.10

Rows per page:

1-10 of 121

References

blog.elgg.org/pg/blog/cash/read/223/elgg-1813-and-1717

packetstormsecurity.com/files/119903/Elgg-Twitter-Widget-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2013/Jan/251

secunia.com/advisories/52007

www.openwall.com/lists/oss-security/2013/01/29/4

www.securityfocus.com/bid/57569

github.com/Elgg/Elgg/commit/19dc507c2fccb378be2a44a762edf6c1e7afa334#L0R11

github.com/Elgg/Elgg/commit/a74a88501c41e89c8bcd7fc650ae2f8cc0a5003d#L2L21

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.5%

JSON

Related for CVE-2013-0234

cvelist1 prion1 nvd1