Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 427790 (CVE-2012-3383)

Summary: <www-apps/wordpress-3.4.1: Multiple vulnerabilities (CVE-2012-{3383,3384,3385})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: planet, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 19:15:43 UTC 
CVE-2012-3385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3385):
  WordPress before 3.4.1 does not properly restrict access to post contents
  such as private or draft posts, which allows remote authors or contributors
  to obtain sensitive information via unknown vectors.

CVE-2012-3384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3384):
  Cross-site request forgery (CSRF) vulnerability in the customizer in
  WordPress before 3.4.1 allows remote attackers to hijack the authentication
  of unspecified victims via unknown vectors.

CVE-2012-3383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3383):
  WordPress 3.4.0 does not properly restrict access to unfiltered_html when
  multisite is enabled, which allows remote administrators or editors to
  perform cross-site scripting (XSS) attacks.


WordPress 3.3.3 was also released [1] to fix some of these issues in the 3.3 branch.

[1] http://codex.wordpress.org/Version_3.3.3
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 17:15:21 UTC 
=www-apps/wordpress-3.4.1 is in the tree, thanks. Closing noglsa for ~arch only.