CVE-2014-2995

Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors, as demonstrated by the twitget_consumer_key parameter to wp-admin/options-general.php.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/126134	Exploit
http://seclists.org/fulldisclosure/2014/Apr/172	Exploit
http://wordpress.org/plugins/twitget/changelog	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/92392
https://security.dxw.com/advisories/csrfxss-vulnerability-in-twitget-3-3-1	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:twitget_project:twitget:*:-:-:-:-:wordpress:*:*

History

No history.

Information

Published : 2014-10-17 22:55

Updated : 2024-02-28 12:20

NVD link : CVE-2014-2995

Mitre link : CVE-2014-2995

CVE.ORG link : CVE-2014-2995

JSON object : View

Products Affected

twitget_project

twitget

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2014-2995", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-10-17T22:55:04.673", "references": [{"url": "http://packetstormsecurity.com/files/126134", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2014/Apr/172", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://wordpress.org/plugins/twitget/changelog", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92392", "source": "cve@mitre.org"}, {"url": "https://security.dxw.com/advisories/csrfxss-vulnerability-in-twitget-3-3-1", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors, as demonstrated by the twitget_consumer_key parameter to wp-admin/options-general.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en twitget.php en el plugin Twitget anterior a 3.3.3 para WordPress permiten a adminitradores remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores sin especificar, tal y como se ha demostrado en el par\u00e1metro twitget_consumer_key hacia wp-admin/options-general.php."}], "lastModified": "2017-08-29T01:34:35.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:twitget_project:twitget:*:-:-:-:-:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "2A92F729-520E-4903-B25A-A17C6B3F9653", "versionEndIncluding": "3.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}