JVN#27531188

Cross-site Scripting vulnerability in Cakifo


Overview

Escape processing of image files in "Cakifo" is incomplete on image attachment pages. If Exif includes tag or JavaScript, arbitrary tags may be executed.

Products Affected

Impact

An arbitrary script may be executed on the user's web browser.

Solution

Update the theme

On August 12 2014, Cakifo 1.6.2 which contains a fix for this vulnerability has been released.

Don't allow untrusted users to upload images

By default, only users with the upload_files capability are able to upload images. If you allow untrusted users to upload images, you should either disallow that or update the theme to the latest version.

Reporter

CVE Identifier