Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-1407

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2013-1407
Last Modified 20 May 2014 12:00:41
Published 13 May 2014 10:55:08
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2013-1407

Summary

Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) scope parameter to index.php; (2) user_name, (3) dbem_phone, (4) user_email, or (5) booking_comment parameter to an event with registration enabled; or the (6) _wpnonce parameter to wp-admin/edit.php.

Vulnerable Systems

Application

  • Netweblogic Events Manager 5.3

  • Netweblogic Events Manager 5.3.1

  • Netweblogic Events Manager 5.3.2

  • Netweblogic Events Manager 5.3.2.1

  • Netweblogic Events Manager 5.3.3

  • Netweblogic Events Manager 5.3.4

  • Netweblogic Events Manager Pro 2.2

  • Netweblogic Events Manager Pro 2.2.1

  • Netweblogic Events Manager Pro 2.2.2

  • Netweblogic Events Manager Pro 2.2.3

  • Netweblogic Events Manager Pro 2.2.4

  • Netweblogic Events Manager Pro 2.2.5

  • Netweblogic Events Manager Pro 2.2.6

  • Netweblogic Events Manager Pro 2.2.7

  • Netweblogic Events Manager Pro 2.2.8


References

MISC - https://www.htbridge.com/advisory/HTB23139

CONFIRM - http://wp-events-plugin.com/blog/2013/01/22/5-3-5-released-includes-a-security-update

BUGTRAQ - 20130306 Multiple XSS vulnerabilities in Events Manager WordPress plugin


Last Updated: 27 May 2016 11:03:24