Description

The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin.

Remediation

References

CVE-2010-1916

Related Vulnerabilities

WordPress Plugin Activity Log Cross-Site Scripting (2.3.1)

Caddy Web Server URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-29718)

TYPO3 Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-3717)

Oracle JRE CVE-2018-2794 Vulnerability (CVE-2018-2794)

Oracle Application Server Other Vulnerability (CVE-2004-1365)

Severity

High

Classification

CVE-2010-1916 CWE-264

Tags

Missing Update Known Vulnerabilities