Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-4240

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2013-4240
Last Modified 02 Apr 2014 01:56:23
Published 02 Apr 2014 12:05:50
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2013-4240

Summary

Multiple cross-site request forgery (CSRF) vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add new testimonials via the hms-testimonials-addnew page, (2) add new groups via the hms-testimonials-addnewgroup page, (3) change default settings via the hms-testimonials-settings page, (4) change advanced settings via the hms-testimonials-settings-advanced page, (5) change custom fields settings via the hms-testimonials-settings-fields page, or (6) change template settings via the hms-testimonials-templates-new page to wp-admin/admin.php.

Vulnerable Systems

Application

  • Jeff Kreitner Hms-testimonials 1.1

  • Jeff Kreitner Hms-testimonials 1.2

  • Jeff Kreitner Hms-testimonials 1.3

  • Jeff Kreitner Hms-testimonials 1.4

  • Jeff Kreitner Hms-testimonials 1.4.1

  • Jeff Kreitner Hms-testimonials 1.5

  • Jeff Kreitner Hms-testimonials 1.6

  • Jeff Kreitner Hms-testimonials 1.6.1

  • Jeff Kreitner Hms-testimonials 1.6.2

  • Jeff Kreitner Hms-testimonials 1.7

  • Jeff Kreitner Hms-testimonials 1.7.1

  • Jeff Kreitner Hms-testimonials 2.0

  • Jeff Kreitner Hms-testimonials 2.0.1

  • Jeff Kreitner Hms-testimonials 2.0.10

  • Jeff Kreitner Hms-testimonials 2.0.2

  • Jeff Kreitner Hms-testimonials 2.0.3

  • Jeff Kreitner Hms-testimonials 2.0.4

  • Jeff Kreitner Hms-testimonials 2.0.5

  • Jeff Kreitner Hms-testimonials 2.0.6

  • Jeff Kreitner Hms-testimonials 2.0.7

  • Jeff Kreitner Hms-testimonials 2.0.8

  • Jeff Kreitner Hms-testimonials 2.0.9


References

CONFIRM - http://wordpress.org/plugins/hms-testimonials/changelog

MLIST - [oss-security] 20130812 Re: Re: CVE Request - HMS Testimonials 2.0.10 WP plugin

MLIST - [oss-security] 20130810 CVE Request - HMS Testimonials 2.0.10 WP plugin

FULLDISC - 20130809 Update [RCA-201309-01] HMS Testimonials 2.0.10 WP plugin - Multiple vulnerabilities

FULLDISC - 20130808 [RCA-201308-01] HMS Testimonials 2.0.10 WP plugin - Multiple vulnerabilities

OSVDB - 96107


Last Updated: 27 May 2016 11:04:50