CVE-2019-12934

Опубликовано: 20 июл. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.

Ссылки

http://www.securityfocus.com/bid/109331
Third Party Advisory
VDB Entry
https://wordpress.org/plugins/wp-code-highlightjs/#developers
Product
https://zeroauth.ltd/blog/2019/07/17/cve-2019-12934-wp-code-highlightjs-wordpress-plugin-csrf-leads-to-blog-wide-injected-script-html/
Exploit
Third Party Advisory
http://www.securityfocus.com/bid/109331
Third Party Advisory
VDB Entry
https://wordpress.org/plugins/wp-code-highlightjs/#developers
Product
https://zeroauth.ltd/blog/2019/07/17/cve-2019-12934-wp-code-highlightjs-wordpress-plugin-csrf-leads-to-blog-wide-injected-script-html/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wp-code-highlightjs_project:wp-code-highlightjs:*:*:*:*:*:wordpress:*:*

Версия до 0.6.2 (включая)

EPSS

Процентиль: 72%

0.00735

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-j6jm-3g52-98hf

github

больше 3 лет назад