lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 12 Jan 2016 20:56:12 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: WP Symposium Pro Social Network Plugin XSS Vulnerability

##FULL DISCLOSURE

#Product : WP Symposium Pro Social Network plugin
#Exploit Author : Rahul Pratap Singh
#Home page Link : https://wordpress.org/plugins/wp-symposium-pro
#Version  : 16.1
#Website  : 0x62626262.wordpress.com
#Twitter  : @0x62626262
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date  : 12/Jan/2016

XSS Vulnerability:

Description:

“user_id” parameter is not sanitized, that leads to reflected xss.

POC:

https://0x62626262.files.wordpress.com/2016/01/wpsymposiumpro16_1xsspoc.png

Fix:
Update to version 16.01.01

Disclosure Timeline:

reported to vendor  : 12/1/2016
vendor response     : 12/1/2016
vendor acknowledged : 12/1/2016
vendor deployed a patch: 12/1/2016

Pub Ref:
http://www.wpsymposiumpro.com/wp-symposium-pro-16-01-01-security-release/
https://wordpress.org/plugins/wp-symposium-pro/
https://0x62626262.wordpress.com/2016/01/12/wp-symposium-pro-social-network-plugin-xss-vulnerability/

Download attachment "0x9ACF7D5F.asc" of type "application/pgp-keys" (3134 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ