Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 12 Mar 2017 20:34:23 +0000
From: Craig Small <csmall@...ian.org>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Fwd: [scr305104] wordpress before 4.7.3

FYI, The 6 wordpress CVE ids from Mitre.

 - Craig

---------- Forwarded message ---------
From: <cve-request@...re.org>
Date: Sun, Mar 12, 2017 at 11:32 AM
Subject: Re: [scr305104] wordpress before 4.7.3
To: <csmall@...ian.org>
Cc: <cve-request@...re.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> In WordPress before 4.7.3,
> there is
> authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is
demonstrated by both
> (1) mishandling of
> the playlist shortcode in the wp_playlist_shortcode function in
wp-includes/media.php
> and (2) mishandling of meta information in the renderTracks function in
> wp-includes/js/mediaelement/wp-playlist.js.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 3.6.0-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Attack Vectors]
> Two Cross-Site Scripting vulnerabilities exists in the playlist
> functionality of WordPress. These issues can be exploited by
> convincing an Editor or Administrator into uploading a malicious MP3
> file. Once uploaded the issues can be triggered by a Contributor or
> higher using the playlist shortcode.
>
> ------------------------------------------
>
> [Reference]
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
> https://codex.wordpress.org/Version_4.7.3
>
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
> http://openwall.com/lists/oss-security/2017/03/06/8
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Chris Andre Dale, Yorick Koster, and Simon P. Briggs

Use CVE-2017-6814.


> [Suggested description]
> In WordPress before 4.7.3 (wp-includes/pluggable.php),
> control characters can trick redirect URL validation.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Trick the URL validation
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 2.8.1-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Daniel Chatfield

Use CVE-2017-6815.


> [Suggested description]
> In WordPress before 4.7.3 (wp-admin/plugins.php),
> unintended files can be deleted by administrators using the plugin
deletion functionality.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Insecure Permissions
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.7.0-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> wp-admin/plugins.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> TrigInc and xuliang

Use CVE-2017-6816.


> [Suggested description]
> In WordPress before 4.7.3 (wp-includes/embed.php),
> there is
> authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.0-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Marc Montpas

Use CVE-2017-6817.


> [Suggested description]
> In WordPress before 4.7.3 (wp-admin/js/tags-box.js),
> there is
> cross-site scripting (XSS) via taxonomy term names.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.7-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> Taxonomy names
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Delta

Use CVE-2017-6818.


> [Suggested description]
> In WordPress before 4.7.3,
> there is
> cross-site request forgery (CSRF) in Press This
> (wp-admin/includes/class-wp-press-this.php), leading to excessive use of
server resources.
> The CSRF can trigger an outbound HTTP request for a large file that is
then parsed by Press This.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.2-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> Press This module
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Craft a html file on a remote server and get admin to visit it using
Press This module
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
>
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
> http://openwall.com/lists/oss-security/2017/03/06/7
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Sipke Mellema

Use CVE-2017-6819.


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYxJWeAAoJEHb/MwWLVhi2siMQAKXaKOf5BZpRfjzAX6cg9hr6
NeDP3Pw/LyrWlQNQIX0jg7v0L8WNg1AJ1qU3rnW3y+9Nn9HL2QB6FX5j+TCkmWQQ
9Jufvcl742xqQEGqkROyYjE04uh9WZjp2VOKDJe64edyiJ5hdIO3WH8OrZ5L08WF
jd6YD6jEpuroqyUoY+36un/M8AKP/AFOHOcMknsu4v6WOPCm4D7RX2HifL2pqNar
7k29sxTt727PHlZkDfbs0sOhPy1icrhZ0NzWJ34u42099j6sGUc9Cz/P2OjySYdP
JwB9q2JwWmgbP8HxYNnnFGvdzE6hAZUOvjJiLgU07Y/6T8RrKJpozzzknAZ/fvst
ZM0oCWZxCzleIg0cpk+2FF/l6YJ4scBfITJq/wrpzPbA+UskYk7v2R41T83oli5j
PFqFAZXVg8pOL7VUpwPx6W1dR77HXJe9aOoslgM2SToXBf7amsaJCk3wn0/ysP41
eiNA6x9QHqBQmv4F27GD1F9rX0SYcsnb8L/uUVnnKzTrJiU3wvqeSLeDGhEKi+A7
kzfYX9SVwQod3wKyNg1B+WtlRZc+AV3zg5OThfUIbv+Y6jmowyGUIQXyAkuzsu1b
jmDfdY7X0dD9vaKNOy2W4kBfycRBUH7lB61EIQR3stq1S5v1+GvRLsZh1NBjXQX6
PvQbSfQLSAyPY9xY6/NF
=yD6/
-----END PGP SIGNATURE-----
-- 
Craig Small (@...llsees)   http://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ