Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 14 Jan 2017 14:24:15 -0500
From: <cve-assign@...re.org>
To: <csmall@...ian.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: Wordpress: 8 security issues in 4.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
> https://codex.wordpress.org/Version_4.7.1

> Remote code execution (RCE) in PHPMailer - No specific issue appears to
> affect WordPress or any of the major plugins we investigated but, out of an
> abundance of caution, we updated PHPMailer in this release. This issue was
> reported to PHPMailer by Dawid Golunski and Paul Buonopane.
> (this is an extra fix for the CVE-2016-10066 and CVE-2016-10045, I'll
> leave it to you to decide if it is same ID or new)

There is no new CVE ID for this.


> The REST API exposed user data for all users who had authored a post of a
> public post type. WordPress 4.7.1 limits this to only post types which have
> specified that they should be shown within the REST API. Reported by
> Krogsgard and Chris Jean.
> https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60
> https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/

Use CVE-2017-5487.


> Cross-site scripting (XSS) via the plugin name or version header on
> update-core.php. Reported by Dominik Schilling of the WordPress Security
> Team.
> https://github.com/WordPress/WordPress/commit/c9ea1de1441bb3bda133bf72d513ca9de66566c2

Use CVE-2017-5488.


> Cross-site request forgery (CSRF) bypass via uploading a Flash file.
> Reported by Abdullah Hussam.

Use CVE-2017-5489.


> Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
> https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
> https://www.mehmetince.net/low-severity-wordpress/

Use CVE-2017-5490.


> Post via email checks mail.example.com if default settings aren't changed.
> Reported by John Blackbourn of the WordPress Security Team.
> https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a

Use CVE-2017-5491.


> A cross-site request forgery (CSRF) was discovered in the accessibility
> mode of widget editing. Reported by Ronnie Skansing.
> https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733

Use CVE-2017-5492.


> Weak cryptographic security for multisite activation key. Reported by Jack.
> https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4

Use CVE-2017-5493.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYenqIAAoJEHb/MwWLVhi2jUYQAIwBRRej7/Aye/tZr4L3hUuR
Bz3Ynlle4j/dUj9LUKuhpZtN/q0LdOOzQsA/fefiSR4TYEyzDMFDGknG8O8kUNwq
7ZKuLQD6npviVux7BbenXGWSmX4MVG9HFhlhLw8g+qljt172tumo79IO24M1PPeU
H2G8QSb/pMbzVG1l0Aa6ASMBeL44eTdPuuAO7piPIepQXWKRe1e8HIiVti7ThLG3
m/OjwGfelhrXZIGTzJRfD/ikiwaGawdH1MRD8u6y/2Hktcfo46kIeEt6FZdlJHEh
mtxY51eKbLO0QZ9yx4956NO5q6zRsWMRb1yR617rJFfNfY56FdBUf+edk4bykewn
ZqDQycScyXLrrPFR/SGbeCDJ90Bmis4MCby/tTfEy8hRIqWBL/Q0bRdBvcxKNikR
Grtoz/3nhwyU87NMo9ClG8VnihS3Gk0NBxSXN8imzhUqIGZ+FqQMm1842KlgceE6
w//N7ddXYkBOHmooNRFfMwma2YiygxGl0rFP/2f6Y9Px1mSnMo5WQStE7H8b+gDd
Y4YxmhmAwMAd8zLn6WF9Zanw0n1cCNxRQRQtdWYn9x12Gmzl9TCwiOkgwHxmtxMT
oPgLK21quQLwesauJ47ySTKnE4DV6x1yTqlFyt2F1vmFlwl9/fjIgdSAJ/1tNEAN
1uM8IBDty3Mods/JZ9TA
=0oyu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ