QwikSec

Security Database

CVE

CWE

Training

CVE-2013-2204

Published: Jul 8, 2013

Modified: Aug 6, 2024

PUBLISHED

Description

moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://wordpress.org/news/2013/06/wordpress-3-5-2/

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

https://bugzilla.redhat.com/show_bug.cgi?id=976784

x_refsource_CONFIRM

http://codex.wordpress.org/Version_3.5.2

x_refsource_CONFIRM

https://github.com/moxiecode/moxieplayer/commit/b61ac518ffa2657e2dc9019b2dcf2f3f37dbfab0

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2013-2204 - Security Vulnerability | QwikSec