Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Mar 2017 12:16:03 +0100
From: Emilio Pozuelo Monfort <pochu27@...il.com>
To: oss-security@...ts.openwall.com, Craig Small <csmall@....com.au>
Subject: Re: CVE Request: Wordpress: 6 security issues in
 Wordpress 4.7 2

On 07/03/17 11:44, Craig Small wrote:
> Hello again,
>  Wordpress 4.7.3 fixes 6 security issues.  Summer of Pwnage has reported 2
> here yesterday but here is the list from the wordpress site.
> 
> Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè
> Dale, Yorick Koster, and Simon P. Briggs.
> 
> Control characters can trick redirect URL validation. Reported by Daniel
> Chatfield.
> 
> Unintended files can be deleted by administrators using the plugin deletion
> functionality. Reported by xuliang.
> 
> Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by
> Marc Montpas.
> 
> Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
> 
> Cross-site request forgery (CSRF) in Press This leading to excessive use of
> server resources. Reported by Sipke Mellema.
> 
> 
> Reference:
> https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Please report these through http://cveform.mitre.org/ to get CVEs assigned, and
follow up here with the CVE identifiers after that's done.

Thanks,
Emilio

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ