Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-1647

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2012-1647
Last Modified 29 Aug 2012 12:00:00
Published 28 Aug 2012 01:55:03
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-1647

Summary

Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION.

Vulnerable Systems

Application

  • Mediafront 6.x-1.0

  • Mediafront 6.x-1.0-beta3

  • Mediafront 6.x-1.1

  • Mediafront 6.x-1.2

  • Mediafront 6.x-1.3

  • Mediafront 6.x-1.x


References

MISC - https://drupal.org/node/1461424

CONFIRM - https://drupal.org/node/1460894

CONFIRM - https://drupal.org/node/1460892

XF - mediafront-phplibrary-xss(73606)

BID - 52229

OSVDB - 79684

MLIST - [oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

CONFIRM - http://drupalcode.org/project/mediafront.git/commitdiff/b3857aa

CONFIRM - http://drupalcode.org/project/mediafront.git/commitdiff/6300750


Last Updated: 27 May 2016 11:00:23