Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 15 Jan 2012 16:09:14 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: CVE-request: WordPress 3.1.1

If I am correct these WordPress issues are missing CVEs. I checked from MITREs CVE-list and tried Google. Needs two 2011 CVE.

1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
http://osvdb.org/show/osvdb/72141

2) The "make_clickable()" function in wp-includes/formatting.php does not properly check the URL length in comments before passing it to the PCRE library, which can be exploited to cause a crash.
http://osvdb.org/show/osvdb/72142

http://wordpress.org/news/2011/04/wordpress-3-1-1/
http://secunia.com/advisories/44038/
http://seclists.org/cert/2011/63

I even contacted WordPress administrators and asked if this does have CVE, but they haven't replied for some reason.

- Henri Salo

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ