Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| civicrm | civicrm | 4.1.0 |
| civicrm | civicrm | 3.2.5 |
| blair_williams | pretty_link_lite | * |
| civicrm | civicrm | 3.1.0 |
| civicrm | civicrm | 3.3.2 |
| blair_williams | pretty_link_lite | 1.6.1 |
| civicrm | civicrm | 4.1.5 |
| caseproof | prettylinks | * |
| civicrm | civicrm | 3.1.6 |
| civicrm | civicrm | 3.2.3 |
| civicrm | civicrm | 3.1.1 |
| civicrm | civicrm | 4.3.1 |
| civicrm | civicrm | 4.1.6 |
| civicrm | civicrm | 4.2.0 |
| civicrm | civicrm | 3.3.6 |
| civicrm | civicrm | 4.3.0 |
| civicrm | civicrm | 4.3.2 |
| civicrm | civicrm | 3.1.3 |
| civicrm | civicrm | 3.2.2 |
| civicrm | civicrm | 4.2.1 |
| civicrm | civicrm | 4.2.8 |
| civicrm | civicrm | 4.3.3 |
| civicrm | civicrm | 3.2.1 |
| civicrm | civicrm | 3.3.1 |
| civicrm | civicrm | 4.2.9 |
| civicrm | civicrm | 3.3.0 |
| civicrm | civicrm | 3.4.0 |
| civicrm | civicrm | 4.1.2 |
| civicrm | civicrm | 3.2.0 |
| civicrm | civicrm | 3.3.5 |
| civicrm | civicrm | 4.0.5 |
| civicrm | civicrm | 3.2.4 |
| joobi | com_jnews | 8.0.1 |
| civicrm | civicrm | 4.1.4 |
| caseproof | prettylinks | 1.6.1 |
| civicrm | civicrm | 4.2.6 |
| civicrm | civicrm | 4.1.3 |
| caseproof | prettylinks | 1.6.0 |
| civicrm | civicrm | 4.2.7 |
| civicrm | civicrm | 3.1.2 |
| civicrm | civicrm | 3.1.4 |
| civicrm | civicrm | 4.2.2 |
| civicrm | civicrm | 4.1.1 |
| civicrm | civicrm | 4.2.4 |
| civicrm | civicrm | 3.3.3 |
| blair_williams | pretty_link_lite | 1.6.0 |
| civicrm | civicrm | 3.1.5 |
| civicrm | civicrm | 4.2.5 |
JNews Joomla Component before 8.5.0 allows arbitrary File Upload via Subscribers or Templates, as demonstrated by the .php5 extension.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-434,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| joobi | jnews | * |
JNews Joomla Component before 8.5.0 allows SQL injection via upload thumbnail, Queue Search Field, Subscribers Search Field, or Newsletters Search Field.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| joobi | jnews | * |
JNews Joomla Component before 8.5.0 has XSS via the mailingsearch parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | 1.7 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| joobi | jnews | 8.3.1 |