CVE-2013-0234

Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg before 1.7.17 and 1.8.x before 1.8.13 allows remote attackers to inject arbitrary web script or HTML via the params[twitter_username] parameter to action/widgets/save.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
elggelgg
1.8.0.1
elggelgg
1.8.1
elggelgg
1.8.3
elggelgg
1.8.4
elggelgg
1.8.5
elggelgg
1.8.6
elggelgg
1.8.7
elggelgg
1.8.8
elggelgg
1.8.9
elggelgg
1.8.10
elggelgg
1.8.11
elggelgg
1.8.12
elggelgg
𝑥
≤ 1.7.16
elggelgg
1.7.0
elggelgg
1.7.1
elggelgg
1.7.2
elggelgg
1.7.3
elggelgg
1.7.4
elggelgg
1.7.5
elggelgg
1.7.6
elggelgg
1.7.7
elggelgg
1.7.8
elggelgg
1.7.9
elggelgg
1.7.10
elggelgg
1.7.11
elggelgg
1.7.12
elggelgg
1.7.13
elggelgg
1.7.14
elggelgg
1.7.15
elggelgg
1.7.18
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://blog.elgg.org/pg/blog/cash/read/223/elgg-1813-and-1717
http://packetstormsecurity.com/files/119903/Elgg-Twitter-Widget-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2013/Jan/251
http://secunia.com/advisories/52007
http://www.openwall.com/lists/oss-security/2013/01/29/4
http://www.securityfocus.com/bid/57569
https://github.com/Elgg/Elgg/commit/19dc507c2fccb378be2a44a762edf6c1e7afa334#L0R11
https://github.com/Elgg/Elgg/commit/a74a88501c41e89c8bcd7fc650ae2f8cc0a5003d#L2L21
http://blog.elgg.org/pg/blog/cash/read/223/elgg-1813-and-1717
http://packetstormsecurity.com/files/119903/Elgg-Twitter-Widget-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2013/Jan/251
http://secunia.com/advisories/52007
http://www.openwall.com/lists/oss-security/2013/01/29/4
http://www.securityfocus.com/bid/57569
https://github.com/Elgg/Elgg/commit/19dc507c2fccb378be2a44a762edf6c1e7afa334#L0R11
https://github.com/Elgg/Elgg/commit/a74a88501c41e89c8bcd7fc650ae2f8cc0a5003d#L2L21