Summary: | <www-apps/wordpress-3.3.2 Multiple vulnerabilities (CVE-2012-{2399,2400,2401,2402,2403,2404}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Laurent Bachelier <laurent> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | planet, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | https://wordpress.org/news/2012/04/wordpress-3-3-2/ | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Laurent Bachelier
2012-04-21 04:33:09 UTC
+1 +1 This is a bugtracker, not Google+. If you must, use that vote feature, but don't spam. Thanks. and for the record I will take care of it today after work 3.3.2 added to CVS. (In reply to comment #5) > 3.3.2 added to CVS. Thanks, Tim. Please update when 3.3.1 is cleaned out and we will get this closed. CVE-2012-2404 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2404): wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. CVE-2012-2403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2403): wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. CVE-2012-2402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2402): wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. CVE-2012-2401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2401): Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. CVE-2012-2400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2400): Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors. CVE-2012-2399 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2399): Unspecified vulnerability in wp-includes/js/swfupload/swfupload.swf in WordPress before 3.3.2 has unknown impact and attack vectors. (In reply to comment #6) > Thanks, Tim. Please update when 3.3.1 is cleaned out and we will get this > closed. 3.3.1 has now been removed from the tree. (In reply to comment #8) > > 3.3.1 has now been removed from the tree. Thanks, Tim. Closing noglsa. |