moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.
References
Configurations
Configuration 1 (hide)
|
Information
Published : 2013-07-08 13:55
Updated : 2013-08-13 10:21
NVD link : CVE-2013-2204
Mitre link : CVE-2013-2204
JSON object : View
CWE
CWE-20
Improper Input Validation
Products Affected
wordpress
- wordpress
tinymce
- media