| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 20 Nov 2016 11:18:24 +0100 From: Summer of Pwnage <lists@...urify.nl> To: "Larry W. Cashdollar" <larry0@...com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin Hi Larry, The entire advisories are posted to the oss-security mailing list. Cheers, Team Summer of Pwnage On 19-11-16 15:13, Larry W. Cashdollar wrote: > Hello All, > > These are really great advisories, my only wish is that they were copied to the security lists in their entirety. This way we aren't relying on a single point of failure (your website) when looking for the data in the future. > > Thanks! > Larry > >> On Nov 19, 2016, at 5:48 AM, Summer of Pwnage <lists@...urify.nl> wrote: >> >> ------------------------------------------------------------------------ >> Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin >> ------------------------------------------------------------------------ >> Yorick Koster, July 2016 >> >> ------------------------------------------------------------------------ >> Abstract >> ------------------------------------------------------------------------ >> A Cross-Site Scripting vulnerability was found in the WP Canvas - >> Shortcodes WordPress Plugin. This issue allows an attacker to perform a >> wide variety of actions, such as stealing Administrators' session >> tokens, or performing arbitrary actions on their behalf. This issue can >> be exploited by authenticated users with the Contributor or higher role. >> >> ------------------------------------------------------------------------ >> OVE ID >> ------------------------------------------------------------------------ >> OVE-20160724-0031 >> >> ------------------------------------------------------------------------ >> Tested versions >> ------------------------------------------------------------------------ >> This issue was successfully tested on WP Canvas - Shortcodes WordPress >> Plugin version 1.92. >> >> ------------------------------------------------------------------------ >> Fix >> ------------------------------------------------------------------------ >> This issue has been addressed in WP Canvas - Shortcodes WordPress Plugin >> version 2.07. >> >> ------------------------------------------------------------------------ >> Details >> ------------------------------------------------------------------------ >> https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_in_wp_canvas___shortcodes_wordpress_plugin.html >> >> ------------------------------------------------------------------------ >> Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its >> goal is to contribute to the security of popular, widely used OSS >> projects in a fun and educational way. >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists