Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 12 Mar 2017 20:34:23 +0000
From: Craig Small <csmall@...ian.org>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Fwd: [scr305104] wordpress before 4.7.3

FYI, The 6 wordpress CVE ids from Mitre.

 - Craig

---------- Forwarded message ---------
From: <cve-request@...re.org>
Date: Sun, Mar 12, 2017 at 11:32 AM
Subject: Re: [scr305104] wordpress before 4.7.3
To: <csmall@...ian.org>
Cc: <cve-request@...re.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> In WordPress before 4.7.3,
> there is
> authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is
demonstrated by both
> (1) mishandling of
> the playlist shortcode in the wp_playlist_shortcode function in
wp-includes/media.php
> and (2) mishandling of meta information in the renderTracks function in
> wp-includes/js/mediaelement/wp-playlist.js.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 3.6.0-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Attack Vectors]
> Two Cross-Site Scripting vulnerabilities exists in the playlist
> functionality of WordPress. These issues can be exploited by
> convincing an Editor or Administrator into uploading a malicious MP3
> file. Once uploaded the issues can be triggered by a Contributor or
> higher using the playlist shortcode.
>
> ------------------------------------------
>
> [Reference]
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
> https://codex.wordpress.org/Version_4.7.3
>
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
> http://openwall.com/lists/oss-security/2017/03/06/8
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Chris Andre Dale, Yorick Koster, and Simon P. Briggs

Use CVE-2017-6814.


> [Suggested description]
> In WordPress before 4.7.3 (wp-includes/pluggable.php),
> control characters can trick redirect URL validation.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Trick the URL validation
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 2.8.1-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Daniel Chatfield

Use CVE-2017-6815.


> [Suggested description]
> In WordPress before 4.7.3 (wp-admin/plugins.php),
> unintended files can be deleted by administrators using the plugin
deletion functionality.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Insecure Permissions
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.7.0-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> wp-admin/plugins.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> TrigInc and xuliang

Use CVE-2017-6816.


> [Suggested description]
> In WordPress before 4.7.3 (wp-includes/embed.php),
> there is
> authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.0-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Marc Montpas

Use CVE-2017-6817.


> [Suggested description]
> In WordPress before 4.7.3 (wp-admin/js/tags-box.js),
> there is
> cross-site scripting (XSS) via taxonomy term names.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.7-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> Taxonomy names
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Delta

Use CVE-2017-6818.


> [Suggested description]
> In WordPress before 4.7.3,
> there is
> cross-site request forgery (CSRF) in Press This
> (wp-admin/includes/class-wp-press-this.php), leading to excessive use of
server resources.
> The CSRF can trigger an outbound HTTP request for a large file that is
then parsed by Press This.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.2-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> Press This module
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Craft a html file on a remote server and get admin to visit it using
Press This module
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
>
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
> http://openwall.com/lists/oss-security/2017/03/06/7
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Sipke Mellema

Use CVE-2017-6819.


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYxJWeAAoJEHb/MwWLVhi2siMQAKXaKOf5BZpRfjzAX6cg9hr6
NeDP3Pw/LyrWlQNQIX0jg7v0L8WNg1AJ1qU3rnW3y+9Nn9HL2QB6FX5j+TCkmWQQ
9Jufvcl742xqQEGqkROyYjE04uh9WZjp2VOKDJe64edyiJ5hdIO3WH8OrZ5L08WF
jd6YD6jEpuroqyUoY+36un/M8AKP/AFOHOcMknsu4v6WOPCm4D7RX2HifL2pqNar
7k29sxTt727PHlZkDfbs0sOhPy1icrhZ0NzWJ34u42099j6sGUc9Cz/P2OjySYdP
JwB9q2JwWmgbP8HxYNnnFGvdzE6hAZUOvjJiLgU07Y/6T8RrKJpozzzknAZ/fvst
ZM0oCWZxCzleIg0cpk+2FF/l6YJ4scBfITJq/wrpzPbA+UskYk7v2R41T83oli5j
PFqFAZXVg8pOL7VUpwPx6W1dR77HXJe9aOoslgM2SToXBf7amsaJCk3wn0/ysP41
eiNA6x9QHqBQmv4F27GD1F9rX0SYcsnb8L/uUVnnKzTrJiU3wvqeSLeDGhEKi+A7
kzfYX9SVwQod3wKyNg1B+WtlRZc+AV3zg5OThfUIbv+Y6jmowyGUIQXyAkuzsu1b
jmDfdY7X0dD9vaKNOy2W4kBfycRBUH7lB61EIQR3stq1S5v1+GvRLsZh1NBjXQX6
PvQbSfQLSAyPY9xY6/NF
=yD6/
-----END PGP SIGNATURE-----
-- 
Craig Small (@...llsees)   http://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ