Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  7 May 2016 11:21:15 -0400 (EDT)
From: cve-assign@...re.org
To: csmall@....com.au
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: wordpress and mediaelement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wordpress.org/news/2016/05/wordpress-4-5-2/
> two security issues, both XSS


> WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload

> https://core.trac.wordpress.org/changeset/37382/

> wp-includes/js/plupload/plupload.flash.swf

Use CVE-2016-4566.


> WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS
> using specially crafted URIs through MediaElement.js

> https://core.trac.wordpress.org/changeset/37371

> js/mediaelement/flashmediaelement.swf
> js/mediaelement/mediaelement-and-player.min.js

> https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e

> flash/FlashMediaElement.as
> js/me-shim.js

Use CVE-2016-4567.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXLgZiAAoJEHb/MwWLVhi2KUwP/Amvnzvt7dhmVFVXumBcyAw3
VhKj2FD/HMq7VXJemJSyVf6mo8oJKJwn5ruiMwY/ntQAOLy/+BkYhP3Ngm1HPGwR
22XWXCAPBIBzcKS02oXLMSxFycqqvPpttt9mr1HjamCa8Z8/jXoDubniLjdHD3RJ
psMkF1Yr2x+Tj6ZLBnKBJ8Mi/tF1fXGNfsNBLsg6V2189ZgcAh7lE5HcDUxb4V5H
ShkjwIhqP24q5Hmb2Kg/wDqviDg64NMRGEvbdmXZa8O2MtsADTR7UPAK5ycCPO2d
Tv2jg6xWBK7zb5KfeOAGZ7Ex9SESP8m41bhRW+zTx9rVPGEnrKmN4k3y/vBNYUYx
Rwf8cGFF8Fit10hO46WV2TRZkRVdq7eEUR+o7ji3rIxWheMJjXgcdjRvMFO/B8c9
w9NoFF0Lm5x4wOfccuSvEmxHfM8L40LJklKJMKP+hrxC3Q96cmS7ach55X7di8xf
GQ9xv2OH7xhR/UtpROzXW3KZDLAYO4/5dPgNEEl5sgbnEYgSGMAlAHbg799wbn7w
aUEhRJrzpxqEhwPpbOAPUWQsww+sCdYQtzmKfsY9mDZG1NhdnawQXznPwMayiCD6
0c6o+OXYLarcS6Cc9oRhQzFutjR2/yphuXH8ACIcf/svCblAz4pbJNVbGoajQxae
QiNFEoipdnkFPQiSGYa3
=nnff
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ