Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: CVE Request - HMS Testimonials 2.0.10 WP plugin
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 12 Aug 2013 14:20:09 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/12/2013 12:52 AM, Adéla Goldová wrote:
I noticed how I managed to spell the name really wrong in the message text. I just wanted to fix it to avoid 
confusion.
The name should be HMS Testimonials.

On 8/10/2013 at 6:31 PM, "Adéla Goldová" <roguecoder () hush com> wrote:

Hello

The HMS Tesminoalis version 2.0.10 plugin for WordPress contains 
multiple CSRF and XSS vulnerabilities.
This can be used in many different ways, like defacement of both 
public site and the admin area (only the HMS 
Testimonials plugin area will be affected), modify settings to set 
a lower role as moderator (very harmful on sites 
with open registrations), etc. Could CVE's be assigned to this?

1: http://seclists.org/fulldisclosure/2013/Aug/96


CVE MERGE, same researcher/versions, so:

CVE-2013-4240 HMS Testimonials 2.0.10 CSRF
CVE-2013-4241 HMS Testimonials 2.0.10 XSS


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSCUN5AAoJEBYNRVNeJnmT8/MP/32QsjkC/rXOmSuEwp29Zpr3
BrMdD0DGkL1+RbdeE1bCvV9G+V3/qMedM8qJDaj7Hhj48cTWLtgTBd1BPNgNCq5L
TRiLUTfMz2xZtezlW8gu/VFcX3BrMJgCVdddYFp94/DPJf/Y+k224ufYIqO8wCl3
oeibSCzlFB5DR3br9hQPXvlwj5IgscoS7nZ4078IuM+vWu0QxzAfT35ismtUFru9
2V64N81RPa0xcBxA6cLxAbC84GDm9dijarrssMsUqK4XBcgN6/2nMJWEXimHRbyO
OnuM3R6sFRPsYxHZR01oTH4QLD8dpmNPAJ5Nl9mOHyJoDrLJJUjYeJ2f3hQ38kZE
aCRalHh3rzUd0ZuIG4jQs8ikzdZsgulBWXQ9o5UmdgQwoAyhQUKXWu5So9rX+/Cw
zHK9R2FMAhTY1RyBHtdrpB6NeECDz3wJfZUKfr9fNarZRVxirfnUfvHt167mHPL0
Hbf/tmkylZNsX5637Ye/2eUJrzBi0kJVkXdIzBzFY/TNpypSpUulLd/+TwnGa6qV
sqdsWAT8+JOUg2nYYMZkuiJwENg6AhAkIQ78NUl+5DGfXh4oY5SD+eB9wDcd67jF
OWmk8bbGvmQtFMv1fQdZWyOlXWToZRn0TxMySS6yQnWZ2PGRF4SLePdPoQmwdmw6
jtrPW98NPnCCUdNn4ntw
=LKt4
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]