{"id":"CVE-2013-2205","details":"The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.","modified":"2026-04-10T03:44:25.936640Z","published":"2013-07-08T20:55:01Z","related":["MGASA-2013-0198"],"references":[{"type":"ADVISORY","url":"http://wordpress.org/news/2013/06/wordpress-3-5-2/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2013/dsa-2718"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=976784"},{"type":"WEB","url":"http://codex.wordpress.org/Version_3.5.2"},{"type":"WEB","url":"http://make.wordpress.org/core/2013/06/21/secure-swfupload/"},{"type":"WEB","url":"http://www.securityfocus.com/bid/60759"}],"schema_version":"1.7.5"}