Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS
From: Henri Salo <henri () nerv fi>
Date: Sat, 2 Mar 2013 19:17:34 +0200

On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:
I'm resending my letter from February 23, 2013 (since FD was not working
that day).

After my previous list of vulnerable software with ZeroClipboard.swf, here
is a list of software with ZeroClipboard10.swf. These are Cross-Site
Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django
and aCMS.

Earlier I've wrote about Cross-Site Scripting vulnerabilities in
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote
that this is very widespread flash-file and it's placed at tens of thousands
of web sites. And it's used in hundreds of web applications. Among them are
em-shorty, RepRapCalculator, Fulcrum (CMS), Django and aCMS. And there are
many other vulnerable web applications with ZeroClipboard10.swf (some of
them also contain ZeroClipboard.swf).

So did you report this vulnerability to those projects? Even to security@ or
similar address? I noticed this vulnerability from WordPress plugins. Did you
report those? Did you ask CVE identifiers?

Henri Salo

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]