Date: Tue, 25 Sep 2012 08:46:31 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security@...ts.openwall.com, WordPress Security Team <security@...dpress.org>, Matej Cepl <mcepl@...hat.com> Subject: CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard Hello Kurt, Steve, WordPress Security Team, vendors, an anonymous researcher called 'Akastep' has reported and CSRF flaw being present in the way WordPress of version v3.4.2 and earlier used to process incoming links section / widget of the dashboard. References:  http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html  https://bugzilla.redhat.com/show_bug.cgi?id=860261  https://bugs.gentoo.org/show_bug.cgi?id=436198  https://secunia.com/advisories/50715/ AFAIK there is not an upstream ticket and patch for this issue yet (but might have overlooked something pretty obvious - WordPress upstream please clarify). Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ