Date: Sun, 15 Jan 2012 15:32:48 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-request: WordPress 3.1.1 Am Sun, 15 Jan 2012 16:09:14 +0200 schrieb Henri Salo <henri@...v.fi>: > If I am correct these WordPress issues are missing CVEs. I checked > from MITREs CVE-list and tried Google. Needs two 2011 CVE. > > 1) Certain unspecified input is not properly sanitised before being > returned to the user. This can be exploited to execute arbitrary HTML > and script code in a user's browser session in context of an affected > site. http://osvdb.org/show/osvdb/72141 I think this is CVE-2012-0287: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0287 > 2) The "make_clickable()" function in wp-includes/formatting.php does > not properly check the URL length in comments before passing it to > the PCRE library, which can be exploited to cause a crash. > http://osvdb.org/show/osvdb/72142 > > http://wordpress.org/news/2011/04/wordpress-3-1-1/ > http://secunia.com/advisories/44038/ > http://seclists.org/cert/2011/63 Don't know if this got one, too. -- Hanno Böck mail/jabber: hanno@...eck.de GPG: BBB51E42 http://www.hboeck.de/ Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ