CVE-2012-1001

high-risk
Published 2019-11-21

Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.

Do I need to act?

!
19.2% chance of exploitation in next 30 days
EPSS score — higher than 81% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
2 public exploits available
36874, 36875
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Chyrp

References (12)

Broken Link http://archives.neohapsis.com/archives/bugtraq/2012-02/0121.html
Broken Link http://chyrp.net/2012/02/02/heres-whats-been-going-on-recently/
Third Party Advisory http://www.securityfocus.com/bid/52115
Third Party Advisory http://www.securityfocus.com/bid/52117
Patch https://github.com/vito/chyrp/commit/f69bd791c37e0b154c0bda16f9759ba19cc77f6c
Exploit https://www.htbridge.ch/advisory/HTB23073
Broken Link http://archives.neohapsis.com/archives/bugtraq/2012-02/0121.html
Broken Link http://chyrp.net/2012/02/02/heres-whats-been-going-on-recently/
Third Party Advisory http://www.securityfocus.com/bid/52115
Third Party Advisory http://www.securityfocus.com/bid/52117
Patch https://github.com/vito/chyrp/commit/f69bd791c37e0b154c0bda16f9759ba19cc77f6c
Exploit https://www.htbridge.ch/advisory/HTB23073
51
/ 100
high-risk
Severity 23/34 · High
Exploitability 21/34 · High
Exposure 7/34 · Low