Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Sep 2012 08:46:31 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com,
        WordPress Security Team <security@...dpress.org>,
        Matej Cepl <mcepl@...hat.com>
Subject: CVE Request -- WordPress (3,4.2): CSRF in the incoming links
 section of the dashboard

Hello Kurt, Steve, WordPress Security Team, vendors,

  an anonymous researcher called 'Akastep' has reported
and CSRF flaw being present in the way WordPress of version
v3.4.2 and earlier used to process incoming links section /
widget of the dashboard.

References:

[1] http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=860261
[3] https://bugs.gentoo.org/show_bug.cgi?id=436198
[4] https://secunia.com/advisories/50715/

AFAIK there is not an upstream ticket and patch for this issue
yet (but might have overlooked something pretty obvious - WordPress
upstream please clarify).

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ