Date: Sat, 14 Jan 2017 14:24:15 -0500 From: <cve-assign@...re.org> To: <csmall@...ian.org> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: CVE Request: Wordpress: 8 security issues in 4.7 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ > https://codex.wordpress.org/Version_4.7.1 > Remote code execution (RCE) in PHPMailer - No specific issue appears to > affect WordPress or any of the major plugins we investigated but, out of an > abundance of caution, we updated PHPMailer in this release. This issue was > reported to PHPMailer by Dawid Golunski and Paul Buonopane. > (this is an extra fix for the CVE-2016-10066 and CVE-2016-10045, I'll > leave it to you to decide if it is same ID or new) There is no new CVE ID for this. > The REST API exposed user data for all users who had authored a post of a > public post type. WordPress 4.7.1 limits this to only post types which have > specified that they should be shown within the REST API. Reported by > Krogsgard and Chris Jean. > https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60 > https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/ Use CVE-2017-5487. > Cross-site scripting (XSS) via the plugin name or version header on > update-core.php. Reported by Dominik Schilling of the WordPress Security > Team. > https://github.com/WordPress/WordPress/commit/c9ea1de1441bb3bda133bf72d513ca9de66566c2 Use CVE-2017-5488. > Cross-site request forgery (CSRF) bypass via uploading a Flash file. > Reported by Abdullah Hussam. Use CVE-2017-5489. > Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince. > https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 > https://www.mehmetince.net/low-severity-wordpress/ Use CVE-2017-5490. > Post via email checks mail.example.com if default settings aren't changed. > Reported by John Blackbourn of the WordPress Security Team. > https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a Use CVE-2017-5491. > A cross-site request forgery (CSRF) was discovered in the accessibility > mode of widget editing. Reported by Ronnie Skansing. > https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 Use CVE-2017-5492. > Weak cryptographic security for multisite activation key. Reported by Jack. > https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 Use CVE-2017-5493. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYenqIAAoJEHb/MwWLVhi2jUYQAIwBRRej7/Aye/tZr4L3hUuR Bz3Ynlle4j/dUj9LUKuhpZtN/q0LdOOzQsA/fefiSR4TYEyzDMFDGknG8O8kUNwq 7ZKuLQD6npviVux7BbenXGWSmX4MVG9HFhlhLw8g+qljt172tumo79IO24M1PPeU H2G8QSb/pMbzVG1l0Aa6ASMBeL44eTdPuuAO7piPIepQXWKRe1e8HIiVti7ThLG3 m/OjwGfelhrXZIGTzJRfD/ikiwaGawdH1MRD8u6y/2Hktcfo46kIeEt6FZdlJHEh mtxY51eKbLO0QZ9yx4956NO5q6zRsWMRb1yR617rJFfNfY56FdBUf+edk4bykewn ZqDQycScyXLrrPFR/SGbeCDJ90Bmis4MCby/tTfEy8hRIqWBL/Q0bRdBvcxKNikR Grtoz/3nhwyU87NMo9ClG8VnihS3Gk0NBxSXN8imzhUqIGZ+FqQMm1842KlgceE6 w//N7ddXYkBOHmooNRFfMwma2YiygxGl0rFP/2f6Y9Px1mSnMo5WQStE7H8b+gDd Y4YxmhmAwMAd8zLn6WF9Zanw0n1cCNxRQRQtdWYn9x12Gmzl9TCwiOkgwHxmtxMT oPgLK21quQLwesauJ47ySTKnE4DV6x1yTqlFyt2F1vmFlwl9/fjIgdSAJ/1tNEAN 1uM8IBDty3Mods/JZ9TA =0oyu -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ