CVE-2013-1636 [Medium] | XSS in Prettylinks

Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter.

EDB-ID	Source	Kind	Published	Link
38324	exploit_db	edb	2013-02-20	Exploit-DB ↗
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

38324

exploit_db

edb

2013-02-20

Exploit-DB ↗

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-10-26	11.82%	10.32%	-1.50%
2	2025-08-20	13.99%	11.82%	-2.17%
3	2025-05-27	—	13.99%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-10-26

11.82%

10.32%

-1.50%

2025-08-20

13.99%

11.82%

-2.17%

2025-05-27

—

13.99%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

8.6

2.9

[email protected]

Affected software / configurations for CVE-2013-1636

Vendor	Product	Version	Raw CPE
caseproof	prettylinks	<= 1.6.2	cpe:2.3:a:caseproof:prettylinks::::::::
caseproof	prettylinks	1.6.0	cpe:2.3:a:caseproof:prettylinks:1.6.0:::::::*
caseproof	prettylinks	1.6.1	cpe:2.3:a:caseproof:prettylinks:1.6.1:::::::*
joobi	com_jnews	8.0.1	cpe:2.3:a:joobi:com_jnews:8.0.1:::::::*
civicrm	civicrm	3.1.0	cpe:2.3:a:civicrm:civicrm:3.1.0:::::::*
civicrm	civicrm	3.1.1	cpe:2.3:a:civicrm:civicrm:3.1.1:::::::*
civicrm	civicrm	3.1.2	cpe:2.3:a:civicrm:civicrm:3.1.2:::::::*
civicrm	civicrm	3.1.3	cpe:2.3:a:civicrm:civicrm:3.1.3:::::::*
civicrm	civicrm	3.1.4	cpe:2.3:a:civicrm:civicrm:3.1.4:::::::*
civicrm	civicrm	3.1.5	cpe:2.3:a:civicrm:civicrm:3.1.5:::::::*
civicrm	civicrm	3.1.6	cpe:2.3:a:civicrm:civicrm:3.1.6:::::::*
civicrm	civicrm	3.2.0	cpe:2.3:a:civicrm:civicrm:3.2.0:::::::*
civicrm	civicrm	3.2.1	cpe:2.3:a:civicrm:civicrm:3.2.1:::::::*
civicrm	civicrm	3.2.2	cpe:2.3:a:civicrm:civicrm:3.2.2:::::::*
civicrm	civicrm	3.2.3	cpe:2.3:a:civicrm:civicrm:3.2.3:::::::*
civicrm	civicrm	3.2.4	cpe:2.3:a:civicrm:civicrm:3.2.4:::::::*
civicrm	civicrm	3.2.5	cpe:2.3:a:civicrm:civicrm:3.2.5:::::::*
civicrm	civicrm	3.3.0	cpe:2.3:a:civicrm:civicrm:3.3.0:::::::*
civicrm	civicrm	3.3.1	cpe:2.3:a:civicrm:civicrm:3.3.1:::::::*
civicrm	civicrm	3.3.2	cpe:2.3:a:civicrm:civicrm:3.3.2:::::::*
civicrm	civicrm	3.3.3	cpe:2.3:a:civicrm:civicrm:3.3.3:::::::*
civicrm	civicrm	3.3.5	cpe:2.3:a:civicrm:civicrm:3.3.5:::::::*
civicrm	civicrm	3.3.6	cpe:2.3:a:civicrm:civicrm:3.3.6:::::::*
civicrm	civicrm	3.4.0	cpe:2.3:a:civicrm:civicrm:3.4.0:::::::*
civicrm	civicrm	4.0.5	cpe:2.3:a:civicrm:civicrm:4.0.5:::::::*
civicrm	civicrm	4.1.0	cpe:2.3:a:civicrm:civicrm:4.1.0:::::::*
civicrm	civicrm	4.1.1	cpe:2.3:a:civicrm:civicrm:4.1.1:::::::*
civicrm	civicrm	4.1.2	cpe:2.3:a:civicrm:civicrm:4.1.2:::::::*
civicrm	civicrm	4.1.3	cpe:2.3:a:civicrm:civicrm:4.1.3:::::::*
civicrm	civicrm	4.1.4	cpe:2.3:a:civicrm:civicrm:4.1.4:::::::*
civicrm	civicrm	4.1.5	cpe:2.3:a:civicrm:civicrm:4.1.5:::::::*
civicrm	civicrm	4.1.6	cpe:2.3:a:civicrm:civicrm:4.1.6:::::::*
civicrm	civicrm	4.2.0	cpe:2.3:a:civicrm:civicrm:4.2.0:::::::*
civicrm	civicrm	4.2.1	cpe:2.3:a:civicrm:civicrm:4.2.1:::::::*
civicrm	civicrm	4.2.2	cpe:2.3:a:civicrm:civicrm:4.2.2:::::::*
civicrm	civicrm	4.2.4	cpe:2.3:a:civicrm:civicrm:4.2.4:::::::*
civicrm	civicrm	4.2.5	cpe:2.3:a:civicrm:civicrm:4.2.5:::::::*
civicrm	civicrm	4.2.6	cpe:2.3:a:civicrm:civicrm:4.2.6:::::::*
civicrm	civicrm	4.2.7	cpe:2.3:a:civicrm:civicrm:4.2.7:::::::*
civicrm	civicrm	4.2.8	cpe:2.3:a:civicrm:civicrm:4.2.8:::::::*
civicrm	civicrm	4.2.9	cpe:2.3:a:civicrm:civicrm:4.2.9:::::::*
civicrm	civicrm	4.3.0	cpe:2.3:a:civicrm:civicrm:4.3.0:::::::*
civicrm	civicrm	4.3.1	cpe:2.3:a:civicrm:civicrm:4.3.1:::::::*
civicrm	civicrm	4.3.2	cpe:2.3:a:civicrm:civicrm:4.3.2:::::::*
civicrm	civicrm	4.3.3	cpe:2.3:a:civicrm:civicrm:4.3.3:::::::*

References for CVE-2013-1636

URL	Tags
http://archives.neohapsis.com/archives/bugtraq/2013-02/0101.html	Exploit Patch
http://osvdb.org/90435
http://packetstormsecurity.com/files/120433/WordPress-Pretty-Link-1.6.3-Cross-Site-Scripting.html
http://packetstormsecurity.com/files/121623/Joomla-Jnews-8.0.1-Cross-Site-Scripting.html
http://wordpress.org/plugins/pretty-link/changelog
https://civicrm.org/advisory/civi-sa-2013-002-openflashchart-xss	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/82242

URL

CVE-2013-1636

Public exploit references (Exploit-DB) for CVE-2013-1636

Exploit prediction scoring system (EPSS) score for CVE-2013-1636

Common vulnerability scoring system (CVSS) metrics for CVE-2013-1636

Weakness enumeration for CVE-2013-1636

Affected software / configurations for CVE-2013-1636

References for CVE-2013-1636