CVE-2014-2995

Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors, as demonstrated by the twitget_consumer_key parameter to wp-admin/options-general.php.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://security.dxw.com/advisories/csrfxss-vulnerability-in-twitget-3-3-1	Exploit
http://wordpress.org/plugins/twitget/changelog	Vendor Advisory
http://packetstormsecurity.com/files/126134	Exploit
http://seclists.org/fulldisclosure/2014/Apr/172	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/92392

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:twitget_project:twitget:*:-:-:-:-:wordpress:*:*

Information

Published : 2014-10-17 15:55

Updated : 2017-08-28 18:34

NVD link : CVE-2014-2995

Mitre link : CVE-2014-2995

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

twitget_project

twitget

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://security.dxw.com/advisories/csrfxss-vulnerability-in-twitget-3-3-1", "name": "https://security.dxw.com/advisories/csrfxss-vulnerability-in-twitget-3-3-1", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://wordpress.org/plugins/twitget/changelog", "name": "http://wordpress.org/plugins/twitget/changelog", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://packetstormsecurity.com/files/126134", "name": "http://packetstormsecurity.com/files/126134", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://seclists.org/fulldisclosure/2014/Apr/172", "name": "20140411 CSRF/XSS vulnerability in Twitget 3.3.1 (WordPress plugin)", "tags": ["Exploit"], "refsource": "FULLDISC"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92392", "name": "twitget-wordpress-xss(92392)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors, as demonstrated by the twitget_consumer_key parameter to wp-admin/options-general.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-2995", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2014-10-17T22:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:twitget_project:twitget:*:-:-:-:-:wordpress:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.3.1"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:34Z"}