Vulnerability Details : CVE-2013-6837
Cross-site scripting (XSS) vulnerability in the setTimeout function in js/jquery.prettyPhoto.js in prettyPhoto 3.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted PATH_INTO to the default URI.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2013-6837
Probability of exploitation activity in the next 30 days: 0.26%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 62 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-6837
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-6837
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-6837
-
https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc
Page not found · GitHub · GitHubExploit;Patch
-
http://themeforest.net/item/udesign-responsive-wordpress-theme/253220
uDesign - Responsive WordPress Theme by AndonDesign | ThemeForest
-
http://themeforest.net/forums/thread/security-vulnerability-affecting-prettyphoto-jquery-script/181180
Security Vulnerability Affecting prettyPhoto jQuery Script - Envato Forums
-
http://www.no-margin-for-errors.com/projects/prettyphoto-jquery-lightbox-clone/
jQuery lightbox for images, videos, YouTube, iframes, ajaxStéphane Caron – No Margin For Errors
-
http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html
Miscellaneous Ramblings of A Ethical HackerExploit
-
http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html
Haciendo un XSS en Plugin Prettyphoto ~ Comunidad PeruCrack
-
http://cxsecurity.com/issue/WLB-2013110149
WordPress Pretty Photo Cross Site Scripting - CXSecurity.comExploit
Products affected by CVE-2013-6837
- cpe:2.3:a:no-margin-for-errors:prettyphoto:*:*:*:*:*:*:*:*